Ring Key-Homomorphic Weak PRFs and Applications · Ring Key-Homomorphic Weak PRFs and Applications Navid Alamati Hart Montgomeryy ... This is despite the fact that, in our opinion,

Ring Key-Homomorphic Weak PRFs and Applications

Navid Alamati∗ Hart Montgomery† Sikhar Patranabis‡

Abstract

A weak pseudorandom function F : K × X → Y is said to be ring key-homomorphic if, given F (k1, x) andF (k2, x), there are efficient algorithms to compute F (k1 ⊕ k2, x) and F (k1 ⊗ k2, x) where⊕ and⊗ are the additionand multiplication operations in the ring K, respectively. In this work, we initiate the study of ring key-homomorphicweak PRFs (RKHwPRFs). In particular, we show that the following primitives can be constructed from any RKHwPRF:

• Multiparty non-interactive key exchange (NIKE) for an arbitrary number of parties.

• Indistinguishability obfuscation for all circuits inNC1.

Our proofs are in the standard model, and the proof for our iO scheme is program-independent. Our iO scheme canalso be bootstrapped to all polynomial-size circuits using standard techniques. We also consider restricted versions ofRKHwPRFs that are structurally weaker than a classic RKHwPRF but suffice for all our constructions. We show howto instantiate these restricted RKHwPRFs from various multilinear maps and associated assumptions. Our frameworkgives several new results, such as:

• The first iO scheme that relies only on SXDH over any asymmetric multilinear map without additional assump-tions.

• The first iO scheme that relies only on DLIN (or more generally Matrix-DDH) over any (even symmetric)multilinear map without additional assumptions.

• The first iO scheme that relies on SXDH over the multilinear map presented by Ma and Zhandry (TCC’18) (theauthors only presented a NIKE protocol in their paper). To our knowledge, this candidate multilinear map hasnot been successfully cryptanalyzed, and the SXDH assumption plausibly holds over it.

Our analysis of RKHwPRFs in a sense completes the work initiated by Alamati et al. (EUROCRYPT’19) onbuilding cryptosystems from generic Minicrypt primitives with structure. With our results, almost all of the majorknown cryptosystems can be built from a weak PRF with either a group or ring homomorphism over either the inputspace or the key space. Thus, a major contribution of this work is advancing the study of the relationship betweenstructure and cryptography.

∗University of Michigan.†Fujitsu Laboratories of America.‡ETH Zurich.

1

1 IntroductionA long-standing line of work in the research of theoretical cryptography has been to build cryptosystems with

more functionalities from more structured mathematical assumptions. A major initial development in this directionwas the invention of public-key encryption (PKE) [RSA78, DH76]. Many years later, the development of pairing-based cryptography allowed for more exciting constructions such as identity-based encryption [BF01] and three-partynoninteractive key exchange [Jou00], both of which were not known from previously studied assumptions. Whilepairing-based cryptography needed stronger assumptions than previously known PKE schemes, the absence of classicalattacks over the past (almost) twenty years since the introduction of these assumptions has seemingly justified theirusage [MSS16].

Soon after pairing-based cryptography was developed, Regev introduced a new lattice-based assumption calledlearning with errors (LWE) in his seminal paper [Reg05]. This enabled realizing even richer cryptographic functionalities.Most notably, Gentry’s candidate construction of fully-homomorphic encryption (FHE) [Gen09] brought exciting newpossibilities for secure computation on the cloud. Follow-up works [BV11, Bra12, GSW13] introduced new techniquesthat not only improved this construction, but also allowed us to build other interesting cryptographic functionalities.

In 2013, Garg, Gentry, and Halevi proposed the first candidate multilinear map construction [GGH13a] whichgained a lot of attention of the cryptographic community. Soon after, Garg et al. [GGH+13b] showed how to buildindistinguishability obfuscation (iO) [BGI+01] from multilinear maps. This was particularly notable since obfuscationseemed to be the holy grail in terms of theoretical cryptographic functionality: virtually everything one might want tobuild in a cryptosystem is possible with iO (and some other mild assumptions): functional encryption [GGH+13b],multi-party noninteractive key exchange [BZ14], and much more [SW14, GGHR14, HSW14, BP15].

All of these applications spurred a huge interest in building graded encodings1 and iO from more standardassumptions and using more efficient constructions. In a short time, other candidate graded encoding schemes [CLT13,GGH15] and even direct iO constructions [Zim15, AB15] were proposed. Unfortunately, several of these candidateconstructions were cryptanalized, starting with the work of Cheon et al. [CHL+15] on the cryptanalysis of the multilinearmap defined in [CLT13]. More attacks on iO constructions followed [MSZ16, HJ16, CLLT16], breaking all of theoriginal graded encoding schemes.

Naturally, people attempted to improve existing constructions to be immune to these attacks [CLT15, BMSZ15,GMM+16], but many of these improved constructions were also shown to be vulnerable to attacks [MSZ16, CGH17].As far as we know, there is only one currently unbroken published multilinear map [MZ18] and it is not known to implyiO.2

A series of relatively recent works [Lin16, LV16, LT17, AS17] showed how to reduce the degree of multilinearityneeded in a multilinear map in order to build iO using novel techniques such as local PRGs. In fact, in [LT17], the authorsshowed a construction from bilinear maps and 2-blockwise local PRGs, which seemingly paved the way for a secure iOconstruction. However, Lombardi and Vaikuntanathan [LV17] and Barak et al. [BBKK18] independently showed that2-blockwise local PRGs could never be constructed securely, unfortunately implying that such iO constructions are notsecure.

More recent works [Agr19, AM18, AJL+19, JLMS19] have used a number of interesting and novel new techniques,including using perturbation resilient generators.3 While these constructions provide many new insights, they are stillbased on less studied assumptions, and we would like to achieve the “holy grail” of constructing iO from standardcryptographic assumptions. Indeed, the fact that more recent, novel iO assumptions such as (most) multilinear mapsand 2-blockwise local PRGs have been broken has caused some consternation in the wider cryptographic communityabout the plausibility of iO. Bishop et al. summarized this sentiment in [BKM+19].

In this paper, we study iO in a way that differs from the traditional approach of directly proposing more assumptionsand constructions (although we certainly agree that this traditional approach has plenty of merit). While others haverelated iO to primitives such as functional encryption [AJ15, BV15] and constraint-hiding constrained PRFs [CC17,BKM17], our approach is motivated by questions such as: what sort of mathematical structure is seemingly sufficient

1Graded encodings are generalizations of multilinear maps.2Martin Albrecht and Alex Davidson have created a website on attacks related to graded encodings and iO constructions [Alb19]. Although it is

not completely up to date, we refer the reader to this website for more information on concrete iO constructions and attacks.3We refer the reader to [HB15] for a survey of multilinear maps and iO.

2

for realizing iO? It is our hope that studying the complexity of iO can help us to either build or rule out constructions ofiO from certain assumptions. Due to the promise that iO offers in terms of cryptographic applications, we think this is avery worthwhile goal in theoretical cryptography.

1.1 Structure and CryptographyIt has long been assumed by many in the cryptographic community that there is some kind of relationship betweenmathematical structure and public-key cryptography. Barak [Bar17] has frequently ruminated on this topic. Very recently,this was formalized in a work by Alamati et al. [AMPR19] that focused on the relationship between mathematicalstructure and cryptographic functionality.

In [AMPR19], the authors showed that applying input homomorphisms to simple primitives in Minicrypt like weakPRFs allows us to build many primitives in Cryptomania. For instance, a simple group input-homomorphic weakpseudorandom function (IHwPRF) can be used to build most of the cryptosystems that we know how to build from theDDH assumption, and a ring input-homomorphic weak PRF, with some restrictions, is equivalent to FHE. The authorsdo consider structured functions that are equivalent to bilinear/multilinear maps in the form of “`-composable inputhomomorphic functions,” but their definitions are unsatisfactory since they almost mimic multilinear maps.

In a follow-up work [AMP19], Alamati et al. considered simple primitives with structured secrets. Whilethis work has some novel insights on key homomorphisms [NPR99, BLMR13] over simple primitives, it does notconsider higher-order applications like multilinear maps or iO. So despite all of the recent work studying mathematicalstructure in cryptography, there is very little to show on iO and related primitives like multi-party non-interactive keyexchange (NIKE). This is despite the fact that, in our opinion, iO is the most important primitive for which we need tostudy the required mathematical structure, because a good formalization of the structure required for iO would hopefullyallows us more insights on the security of constructions (or, perhaps more pessimistically, negative results).

So the question remains: can we come up with simple, structured primitives that imply iO, thus providing moreinsight on the kind of assumptions (or mathematical structure) that are seemingly sufficient to realize iO?

1.2 Our ContributionsWe answer this question in the affirmative. We define new, simple primitives called ring key-homomorphic weak pseudo-random functions (RKHwPRF) and ring-embedded homomorphic sysnthesizers (RHS). Ring-embedded homomorphicsynthesizers are, informally, a substantially weaker form of RKHwPRF where an adversary doesn’t get to see the inputvalues to the weak PRF (we define these primitives formally later in the paper). We show how to build iO from a genericRHS (even in the presence of some structural restrictions), and also show that any graded encoding or multilinearmap that satisfies some basic assumptions can be used to build a (restricted) RHS. Along the way we discover severaldifferent interesting observations on the relationship between ring structure and cryptographic primitives. We outlinethis in the rest of this section. We refer to Figure 1 for a (simplified) overview of our results.

Definitions. We begin the technical content of our paper by defining several new primitives, including ring key-homomorphic weak PRFs and ring homomorphic synthesizers.

As an example, we informally say that a weak PRF is ring key-homomorphic if, for some weak PRF F : K×X → Ysuch that both the keyspace (K,⊕,⊗) and the output space (Y,�,�) are rings with efficiently computable ringoperations, the following hold:

F (k1, x)� F (k2, x) = F (k1 ⊕ k2, x) ,

F (k1, x)� F (k2, x) = F (k1 ⊗ k2, x) .

We refer to the above definition as a “classic” ring key-homomorphic weak PRF. We can further generalize thisdefinition to cover a number of additional situations. All of our constructions accommodate approximate (or bounded)homomorphisms like in lattice-based assumptions. We can also handle cases (like in graded encodings or asymmetricmultilinear maps) where we have “slots” for elements, and the elements must be multiplied in a certain order. Inaddition, our constructions allow for what we call “partial” RKHwPRFs where we sacrifice determinism and use somerandomness in order to ensure security.

3

Minicrypt and Ring Homomorphism

Ring IHwPRFRing-embeddedHomomorphic

SynthesizerRing KHwPRF

FHE MultipartyNoninteractiveKey Exchange

iaiO for NC1 iO for NC1

~

?[AMPR19]§4

§5 [GLSW15]?: The implication holds when out-put space of Ring IHwPRF is small.~: The implication holds when inputspace of Ring IHwPRF does notdepend on key.→: Striaghtforward implication

Figure 1: Implications of symmetric primitives with ring homomorphism

Furthermore, our constructions and definitions work for the case where the output space is a ring embedding:namely, the output space itself does not have an efficient multiplication algorithm and instead multiplication is carriedout by some other algorithm. For instance, bilinear groups are examples of ring embeddings. We fully explain thesedefinitions in more detail later in the paper.

Our definitions can also be extended in the context of pseudorandom synthesizers. Recall that, informally, apseudorandom synthesizer is a two-input function S (·, ·) parameterized by two sets X andW such that on randominputs (x1, ...., xm) ∈ Xm and (w1, ..., wn) ∈ Wn, the matrix M defined using all mn values of S such thatS (xi, wj) = Mij is indistinguishable from random. Synthesizers were introduced by Naor and Reingold in [NR95],where they proved that any secure pseudorandom synthesizer could be used to build a PRF with logarithmic depth interms of the number of synthesizer evaluations.

We extend these definitions of synthesizers to require that a ring homomorphism hold over one of the coordinates ofthe synthesizer; in other words, for any x ∈ X and any w,w′ ∈ W , we have

S (x,w)� S (x,w′) = S (x,w ⊕ w′) ,

S (x,w)� S (x,w′) = S (x,w ⊗ w′) .

Our definition of ring-embedded homomorphic synthesizer (RHS) weakens these requirements even further byrequiring that the homomorphism holds only with respect to addition, and that multiplication can be efficiently doneonly on the output space of the synthesizer; in other words, we do not actually require the multiplicative homomorphism.It is straightforward to see that a ring-embedded homomorphic synthesizer is implied by any ring-homomorphicsynthesizer as defined above, which in turn is implied by any ring key-homomorphic weak PRF (RKHwPRF). We canfurther generalize RHSs in the same ways we generalize RKHwPRFs. We refer the reader to Section 3 for the formaldefinitions.

Multi-Party NIKE from RHS. Our first result is a construction of multi-party noninteractive key exchange from aring-embedded homomorphic synthesizer. As we have suggested already, our construction also immediately implies aconstruction from a RKHwPRF. We elaborate more on this result in our technical overview, Section 2.

Building iO from RHS. Our second result is a construction of iO (for NC1) from a ring-embedded homomorphicsynthesizer. More concretely, we show how to build an input-activated iO from any RHS, which in turn implies standardiO due to [GLSW15]. Our construction is inspired by the [GLSW15] construction. To prove security, we only rely on

4

the security of the RHS and do not need any other assumptions, except if we want to extend past NC1 functions; in thelatter case, we also need FHE [GGH+13b].

Our iO construction is built from a program-independent assumption (the security of the RHS) and is in the standardmodel.1 We do not restrict the adversary to any specific kind of attacks.

We develop many new techniques for dealing with noncommutative rings in our construction and proof. Ourtechniques depart significantly from those used in existing iO constructions based on multilinear maps/graded encodings,since these constructions are typically based on hardness assumptions over commutative rings. We believe that thesetechniques are of independent interest and would hopefully enable building other cryptoprimitives over generic rings.

iO from SXDH on Multilinear Maps. Gentry et al. show that a generic multilinear map that satisfies the multilinearsubgroup elimination assumption implies iO in their seminal work [GLSW15].

In our work, we show that a generic multilinear map that satisfies the SXDH assumption implies a “slotted”RKHwPRF, which implies an iO construction. Thus, we show that multilinear maps where SXDH holds can be used tobuild iO, generalizing the result of [GLSW15] to a wider class of multilinear maps. To our knowledge, previous workthat built iO from multilinear maps assuming SXDH [Lin17, LT17] required other assumptions, such as blockwise-localPRGs and subexponentially secure LWE.

iO from Matrix DDH on Multilinear Maps. Most iO constructions rely on asymmetric multilinear maps thatinherently impose certain restrictions on the ability to pair elements from different groups. In this work, we proposenew techniques to build iO from relatively mild assumptions over any multilinear map (including symmetric ones).

More concretely, we show that any multilinear map where DLIN (and more generally the matrix DDH family ofassumptions [EHK+13]) holds can be used to build a slotted partial RKHwPRF. To our knowledge, this implies the firstconstruction of iO from any multilinear map assuming only DLIN (or matrix-DDH) without any additional assumptions.

iO from “The MMap Strikes Back” Multilinear Map. In [MZ18], Ma and Zhandry propose a candidate multilinearmap construction based on repeated instances of the [CLT13] multilinear map construction. To our knowledge, thispaper contains the only published multilinear map which has not been successfully cryptanalyzed.2 However, theconstruction is substantially less structured than previous graded encodings, and Ma and Zhandry are only able toconstruct NIKE using their multilinear map–they leave iO as an open problem.

In this work, we show how to build a slotted “partial” RKHwPRF based on the multilinear map construction in“The MMap Strikes Back.” Assuming SXDH holds over this multilinear map (which, as far as we know, is unbroken sofar), we can construct a secure slotted partial RKHwPRF, which is sufficient to realize a secure iO construction. To ourknowledge, this would be the only non-cryptanalyzed construction of iO from a multilinear map.

We think that this construction is an excellent example of the power of our techniques: the [MZ18] construction isvery unstructured, and previously existing methods for building iO from graded encodings require much more structurethan this construction has. However, the unstructured nature of (slotted, partial) RKHwPRFs allows us show that such agraded encoding does, in fact, imply a (slotted, partical) RKHwPRF, which means we can get an iO construction.

Multilinear Map, iO, and RKHwPRF Equivalence. We have already discussed a multitude of papers that buildiO from multilinear maps. However, a recent line of work [AFH+16, FHHL18] has focused on the converse: namely,showing how to build multilinear maps from iO. In particular, [FHHL18] constructs a multilinear map where themultilinear DDH (MLDDH) assumption holds from iO.

In a more recent work, Alamati et al. [AMP20] showed how to build multilinear maps endowed with most of thewell-known (prime order) “source group” assumptions from subexponentially secure iO and some other (relatively)standard assumptions. In particular, they showed how to build an SXDH-hard multilinear map with randomizedencodings. Since we show in this work that such a multilinear map implies a slotted partial RKHwPRF, it follows that,assuming subexponential security and standard assumptions, a slotted partial RKHwPRF can be built from iO itself.

1As discussed in [GLSW15], the reduction from a program-independent assumption seems to inherently imply an exponential security loss.2We note that there are maps like [BGMZ18] which have been cryptanalyzed [CCH+19] but, to our knowledge, not necessarily broken in all

possible parameter regimes.

5

This implies that, modulo subexponential security and standard assumptions, (slotted partial) RKHwPRFs arein a sense “iO-complete”, and can be built from other primitives known to imply iO, e.g., compact functionalencryption [AJ15, BV15] and, from a more recent work, split FHE [BDGM20]. Thus, RKHwPRFs both imply and areimplied by a very wide range of (subexponentially secure) powerful primitives (note that subexponential security acommon requirement for reductions in this space, e.g., constructions of iO from compact FE [AJ15, BV15]).

Field-Homomorphic Synthesizers Are Impossible. Given the implication that a RHS is sufficient to realize iO,it is natural to ask whether it is possible to have a stronger version of a RHS where the output space is a field withefficiently computable field operations (we call such a primitive a field-embedded homomorphic synthesizer, or FHS inshort). We answer this question in negative by showing that there is no secure FHS. Since an FHS is implied by a fieldkey-homomorphic weak PRF (FKHwPRF), it follows that there is no secure FKHwPRF as well.

Previously, Maurer and Raub [MR07] showed that field-homomorphic one-way permutations were impossible, andour work extends this result. Moreover, it seems unlikely that our attacks here can be extended to the ring case. Inparticular, it is not known how to compute kernels or inverses over general rings, which makes our attack on fieldsinfeasible to trivially extend to rings. We refer the reader to [ADM06, Jag12, YYHK18] for discussions on the hardnessof computing inverses/kernels over generic rings and its implications.

It is easy to see that this negative result does not apply to multilinear maps since the number of multiplicationoperations over the output space is apriori bounded by the degree of multilinearity and inverses are infeasible to computeover the output space.

New Separation Results. Our findings have interesting implications in terms of separation results. Garg et al. [GMM17]showed that certain powerful “all-or-nothing” primitives, e.g., witness encryption and FHE, cannot be used in ablack-box manner to construct iO. In this work, we show that ring-embedded homomorphic synthesizers (and ringkey-homomorphic weak PRFs) imply iO in a black-box manner, thereby ruling out black-box constructions of thesegeneric primitives with structure from witness encryption and FHE.

As a side note, in [AMPR19] the authors show that FHE implies ring input-homomorphic weak PRFs (RIHwPRFs)with certain restrictions. Our results thus also rule out the possibility of building RHS (and RKHwPRFs) in a black-boxmanner from such restricted RIHwPRFs.

Outline. The rest of the paper is organized as follows. Section 2 provides an overview of our techniques. Section 3provides preliminary background material. Section 4 presents the construction and proof of multiparty NIKE from RHS.Section 5 presents the construction of iaiO for NC1 from RHS. Section 6 introduces our subspace hiding assumption,and Section 7 proves the security of our iaiO construction based on this assumption. Sections 8 and 9 prove the subspacehiding assumption. Section 13 rules out the existence of field-homomorphic synthesizers. Sections 11 and 13 formallydefine slotted RKHwPRFs and slotted partial RKHwPRFs, and show how to instantiate them from various multilinearmaps and associated assumptions. Finally, Section 14 presents conclusing remarks and open questions.

2 Technical OverviewIn this section, we explain the intuition behind our constructions and proofs at a high level. We refer to the remainder ofthe paper (where the formal definitions and proofs are located) as appropriate. We will generally write all of our resultsin this section in terms of ring key-homomorphic weak PRFs (RKHwPRFs) in order to simplify our arguments, althoughour results will also follow from a substantially weaker primitive, namely ring-embedded homomorphic synthesizers.

2.1 Definitions and IntuitionRecall that we informally say that a weak PRF is ring key-homomorphic if, for some weak PRF F : K ×X → Y withboth keyspace (K,⊕,⊗) and output space (Y,�,�) rings with efficiently computable ring operations, the followinghold:

F (k1, x)� F (k2, x) = F (k1 ⊕ k2, x) ,

6

F (k1, x)� F (k2, x) = F (k1 ⊗ k2, x) .

We call this a classic RKHwPRF. We write our proofs and constructions using these classic RKHwPRFs. However,in many cases, some of the underlying objects (say, graded encodings or multilinear maps) for which we want toconstruct iO or NIKE do not quite fit into the framework of a classic RKHwPRF. To accomodate this, we consider moregeneric versions of the definition of an RKHwPRF. We note that all of the proofs and constructions work in essentiallythe same way for all versions of the definitions we provide here.

Slotted RKHwPRFs. Suppose we consider an asymmetric bilinear map where the symmetric external Diffie-Hellman(SXDH) assumption holds. Let e : G1 ×G2 → GT be an asymmetric efficiently computable non-degenerate bilinearmap with “source groups” G1 and G2, and target group GT , where each group is order q (assumed prime). Also, let Xbe a set of size q such that there exist efficiently computable “encoding functions”:

H1 : X → G1, H2 : X → G2, HT : X → GT ,

such that for any x ∈ X , we haveHT (x) = e(H1(x), H2(x)).

Note that we can create such functions by setting H1 and H2 to be efficiently computable bijections, and letting HT

be the bilinear map evaluation of their output.Now, for i ∈ {1, 2, T}, define the function Fi : Zq ×X → Gi as:

Fi(k, x) = Hi(x)k.

Note that assuming SXDH holds (implying that DDH is hard over each individual source group G1 and G2, andhence, over the target group GT ), we can state the following:

• If the “encoding functions” H1 and H2 are modeled as bijections, each Fi for i ∈ {1, 2, T} is a weak PRF.

• Each Fi for i ∈ {1, 2, T} is homomorphic with respect to addition. More concretely, for any k1, k2 ∈ Zq and forany x ∈ X , we have:

Fi(k1 + k2, x) = Fi(k1, x) · Fi(k2, x).

This gives us a set of related group key-homomorphic weak PRFs. However, defining ring-homomorphism is tricky,since none of G1, G2 and GT are necessarily equipped with efficiently computable multiplication operations (in fact,for some of these groups, such an operation may not even be properly defined).

However, note that we can use the bilinear map e to “simulate” a single multiplication operation as follows: for anyk1, k2 ∈ Zq and for any x ∈ X , define the following operation:

F1(k1, x)� F2(k2, x) := e(F1(k1, x), F2(k2, x)).

It is easy to see that F1(k1, x) � F2(k2, x) = FT (k1 · k2, x). While such a construction does not formally meetthe definition of a “classic” RKHwPRF, it does give us something that seemingly provides the same functionality ofan RKHwPRF. We can thus view the ensemble {F1, F2, FT } as a 2-“slotted”-RKHwPRF, that supports unboundedaddition operations and a single multiplication operation, with the added restriction that a multiplication is only allowedbetween elements from G1 (which constitutes “slot-1” of the output space) and G2 (which constitutes “slot-2” of theoutput space), while no multiplications involving elements from GT (which constitutes “slot-2” of the output space) areallowed.

Note that for the multiplicative homomorphism to hold in “slotted” RKHwPRFs, we need to ensure that we canprovide outputs on the same inputs across all slots (where each “slot” has a different key); in other words, a “slotted”RKHwPRF resembles a collection of parallel-secure weak PRFs. We formalize slotted RKHsPRFs using notion of“interval encodings” [MZ18]. In a nutshell, slotted RKHwPRFs are essentially classic RKHwPRFs with the followingrestrictions:

1. The elements in the output space are divided into n singleton “slots” or intervals [i] for i ∈ [1, ..., n].

7

2. The output space of any PRF in this family is not equipped with an efficient multiplication algorithm by itself.Instead multiplication is “simulated” by using the graded encoding operation.

3. Elements in adjacent intervals [i, j], [j + 1, k] can be multiplied, getting a new element in the interval [i, k]. Thisrequires the use of a graded encoding multiplication operation.

4. Two elements in the same interval can be added together (as usual), but elements not in the same interval cannotbe added.

5. Unlike the standard notion of RKHwPRFs where one can perform unbounded many multiplication operations inthe output space, the number of allowed multiplications in the output space of n-“slotted”-RKHwPRFs is upperbounded by (n− 1), where n is the degree of multilinearity of the underlying asymmetric multilinear map. Notethat the number of allowed additive operations is still unbounded.

We note that, like most other iO constructions using high-degree multilinear maps, we require that we can incre-mentally evaluate multiplications on the multilinear maps, so our constructions would not work for any (hypothetical)multilinear maps that only allow “one-shot” pairings of all n elements together to a final element in the target group. No-tably, some constructions using low-degree multilinear maps and working through functional encryption [Lin17, AS17]do not have this restriction and only require “one-shot” pairings.

Applications of Slotted RKHwPRFs. It turns that all of the constructions presented in this paper can be realized notonly from RKHwPRFs but also from n-“slotted”-RKHwPRFs, where the choice of parameter n would depend on thecorresponding construction. For example, in the construction of multiparty key-exchange, it suffices to set n = N − 1,where N is the number of involved parties. Similarly, for our iO construction, it suffices to set n = L+N − 1, whereL is the depth of the permutation branching program corresponding to the circuit to be obfuscated and N is the numberof input variables.

Correctness and security of our RKHwPRF constructions hold immediately for slotted RKHwPRFs for (mainly)one reason: the multiplications of ring elements in all of our constructions are done in a fixed order that is independentof the input and set in advance. Fundamentally, for our constructions a slotted RKHwPRF is no different than a standardone, but the more general construction lets us capture more instantiations.

In Section 11, we show that any asymmetric multilinear map of degree n where the SXDH assumption holds impliesa family of n-“slotted”-RKHwPRFs. Coupled with our iO construction from RKHwPRFs, this allows us to achieve iOfrom a multilinear map where SXDH holds. The analysis is very similar to what we have discussed above for bilinearmaps.

Slotted Partial RKHwPRFs. In Section 12, we consider a variation of slotted RKHwPRFs to take into accountmultilinear maps with “noisy” encodings [CLT13, MZ18]. We call this variation slotted “partial” RKHwPRFs, and showhow to instantiate it from any multilinear map with noisy encodings where the SXDH assumption holds. Our definitionsof slotted partial RKHwPRFs are similar in flavor to the definitions of “almost” key-homomorphic PRFs in [BLMR13],albeit with an additional zero test.1 All of our constructions also follow from slotted “partial” RKHwPRFs.

In Section 12, we also show how to build slotted partial RKHwPRFs from either of the following assumptions:(a) the SXDH assumption over the asymmetric multilinear map of Ma and Zhandry [MZ18], and (b) DLIN (or moregenerally, matrix-DDH) over any (possibly symmetric) multilinear map. Below, we present some of the ideas behindthe second construction.

Let e : G× . . .×G→ GT be a symmetric N -linear map such that the matrix DDH assumption (with appropriatedimension parameter m > N ) holds over the group G. To begin with, observe that the function F : Zm×mq ×Gm×m →Gm×m defined as

F (K, gX) = gXK,

is a weak PRF. This weak PRF is additively key-homomorphic, but the non-commutativity of matrix multiplicationpresents an obstacle to achieving multiplicative key-homomorphism via the pairing operation.

1Note that evaluating a classical/slotted RKHwPRF on any input using the key k = 0K trivially results in a zero output, which can be used as azero test. Since this is not the case when the homomorphism is partial, we need an explicit zero test.

8

In order to address this, we resort to designing a slotted weak PRF family with additional correlated randomnessbetween “adjacent” interval-slots. At a high level, for a given input x, a weak PRF in the slot [i, j] for i ≤ j ≤ 2 has thefollowing form:

Fi,j((K,φi,(j+1)), x) = gA(x,i)KA−1

(x,(j+1)) ,

where φi,(j+1) is a specially structured random secret used to generate the random matrices Ax,i and Ax,j+1 in Zm×mq .We refer the reader to Section 12 for the proof of weak pseudorandomness based on the matrix DDH assumption.

Note that in this formulation, we can exploit the common random terms between “adjacent” slots-pairs ([i, j], [j +1, `]) to achieve multiplicative homomorphism, albeit over “part” of the secret key. Nonetheless, as we explain inSection 12, such a slotted “partial” RKHwPRF suffices for our constructions.

2.2 Key Homomorphism and Subset SumThe starting point of our work is the main technique from [AMP19], where the authors observe that “repeated” randomsubset sums (i.e., subset sums computed over different sets of elements using the same random subset) over the outputspace of a KHwPRF are indistinguishable from uniformly random elements. This may sound counterintuitive, butfollows from a relatively simple observation. Let F := K × X → Y be a KHwPRF where (K,⊕) and (Y,�) aregroups with efficient group operations. Suppose b is a random binary string of length n. Now consider the followingsum over the set of KHwPRF outputs, for randomly chosen keys ki and a random inputs xj , where if bi is one weinclude the ith row in our sum, and if bi is zero, we do not:

b1 [ F (k1, x1) F (k1, x2) F (k1, x3) ... F (k1, xm) ]b2 [ F (k2, x1) F (k2, x2) F (k2, x3) ... F (k2, xm) ]... ... ... ... ... ... ...

� bn [ F (kn, x1) F (kn, x2) F (kn, x3) ... F (kn, xm) ]F (k′, x1) F (k′, x2) F (k′, x3) ... F (k′, xm)

Note that if n > 3 log |K|, then k′ is distributed statistically close to random by the leftover hash lemma [IZ89]. Thismeans that the resulting sums–which are valid PRF outputs–are computationally indistinguishable from random even ifm >> n due to the security of the KHwPRF; in other words we can repeatedly subset sum using the same randomsubset arbitrary (polynomially) many times and still produce pseudorandom group elements–assuming the binary vectorb is hidden, the whole ensemble of PRF outputs above will be indistinguishable from random. In addition, we note that,since KHwPRF outputs are indistinguishable from random in the output space Y , the above arguments apply not just toKHwPRF outputs but also randomly sampled elements in Y as well.

In [AMP19], the authors use this technique to show that KHwPRFs imply PKE and other asymmetric primitivesin Cryptomania, but that is the extent of their application. It turns out that if we generalize to RKHwPRFs, we canconsiderably increase the power of this technique.

2.3 Ring Homomorphism and Subset SumNow suppose we modify our weak PRF F to be an RKHwPRF, with the keyspace (K,⊕,⊗) and output space (Y,�,�)having efficiently computable ring operations. Suppose that we consider a matrix of wPRF outputs

Kx =

F (k1,1, x) F (k1,2, x) F (k1,3, x) ... F (k1,n, x)F (k2,1, x) F (k2,2, x) F (k2,3, x) ... F (k2,n, x)

... ... ... ... ...F (kn,1, x) F (kn,2, x) F (kn,3, x) ... F (kn,n, x)

where we have made Kx square. If we have some other matrix Sx ∈ Yn×n sampled in exactly the same way, then, bythe ring key-homomorphism, the product SxKx is well-behaved: the (i, j)th entry of SxKx is just F (k, x), where k isthe (i, j)th entry of the products of the matrices of the corresponding keys of Sx and Kx respectively.

9

We now illustrate a consequence of this observation. Suppose that we sample matrices S1x, ...,S

mx ∈ Yn×n with

independent keys as described above. Then the tuple

S1x

S2x

...Smx

,

S1x

S2x

...Smx

[Kx]

is indistinguishable from random. This follows from a similar argument that was used to show that subset sums withreused randomness are hard for KHwPRFs. We develop new techniques to be able to move from repeated subset sumsover groups to matrix multiplications over rings while retaining the pseudorandomness of the final elements. Concretely,the intuition behind our proof techniques is as follows:

Step 1: Apply the leftover hash lemma to argue that the dot product of two random vectors over the keyspace of anRKHwPRF results in a key that is statistically indistinguishable from random. This step is conceptually similar to thefirst step in the previous proof, where we used the leftover hash lemma to argue that a single subset sum over a vector ofKHwPRF keys using a random subset results in a key that is statistically indistinguishable from random. In the ringsetting, we esentially shift from using subset sums to using general ring-linear sums, while still retaining the ability toinvoke the leftover hash lemma when required.

Step 2: Invoke the security of the RKHwPRF to expand from vector dot products to matrix products, while retainingcomputational indistinguishability from random. Again, this step is conceptually similar to the second step in theprevious proof, where we invoked the security of the KHwPRF to go from a single subset sum to repeated subset sums,while retaining computational indistinguishability from random.

Once again, due to the fact that our wPRF outputs must be indistinguishable from random, we can work with randomelements in the output ring Y rather than outputs of the RKHwPRF itself, and the output will still be indistinguishablefrom random. In other words, we prove the following claim: for random matrices R ∈ Ym×n and T ∈ Yn×k, the tuple(R,RT) is indistinguishable from random even if m >> n and k >> n. This turns out to be a very powerful technicaltool that we use extensively in all our constructions, including those based on the significantly weaker primitive, namelyring-embedded homomorphic synthesizer.

Our techniques extend naturally in the context of “slotted” RKHwPRFs, even though the output space for the sameis not an explicit ring. We essentially simulate multiplication operations over the output space of a “slotted” RKHwPRFusing machinery provided by multilinear maps. Note that the key space for a “slotted” RKHwPRF is still a ring, whichallows us to invoke the leftover hash lemma for ring-linear sums over this space. Finally, we can invoke the weakpseudorandomness properties of the RKHwPRF to argue that repeated wPRF evaluations using the same ring-linearsum over the key space results in elements that are computationally indistinguishable from uniform.

2.4 Multiparty Noninteractive Key ExchangeOur first construction involves building noninteractive key exchange from RHS (in this overview, we will assume anRKHwPRF for ease of exposition). This construction is relatively simple and relies on our new technique to show thehardness of distinguishing simple matrix products over RKHwPRF output spaces from random. In this overview, wewill focus on the 3-party case instead of the N -party case for simplicity. The intuition for the N -party case followssimilarly.

Given an RKHwPRF F : K × X → Y , we first fix parameters m > 3 log|K| and n > 6m2 log(|Y|). LetR = Mm(Y) denote the ring of all m by m square matrices over Y . We remark that log(|Rn×n|) is polynomial in thesecurity parameter, and hence elements ofRn×n can be represented using polynomially many bits.

Our public parameters for 3-party NIKE are going to be two matrices R(1) and R(2) sampled uniformly at randomfromRn×n, whereR is the matrix ring as defined above. Our proposed protocol works as follows:

Alice Bob CharlieSample SA ← Rn×n Sample SB ← Rn×n Sample SC ← Rn×n

Publish PA = SAR(1) Publish P

(1)B = R(1)SB Publish PC = R(2)SC

P(2)B = SBR

(2)

10

The final shared secret is S := SAR(1)SBR

(2)SC . Alice/Bob/Charlie can compute the final secret S as

S = SAR(1)SBR

(2)SC = SAP(1)B PC (Alice)

= PASBPC (Bob)

= PAP(2)B SC (Charlie).

While the construction is relatively simple, the security proof is more involved (in particular, when generalizing toan arbitrary number of parties). We need to show that the following tuples are indistinguishable from each other:(

R(1),R(2),SAR(1),R(1)SB ,SBR

(2),R(2)SC ,SAR(1)SBR

(2)SC

),(

R(1),R(2),SAR(1),R(1)SB ,SBR

(2),R(2)SC ,U),

where U is a uniformly sampled matrix inRn×n.It follows from the assumption that F is an RKHwPRF that the tuples

(R(1),SAR

(1))

and(R(1),TA

)are

indistinguishable for some random matrix TA inRn×n. We can apply a similar line of argument to the term containingSC as well. Thus, we can reduce our above assumption to distinguishing between the following tuples:(

R(1),R(2),TA,R(1)SB ,SBR

(2),TC ,TASBTC

),(

R(1),R(2),TA,R(1)SB ,SBR

(2),TC ,U).

The difficult step in the proof involves implicitly showing that giving an adversary both R(1)SB and SBR(2) does not

allow the adversary to learn “enough” about SB to distinguish the final term from random.To do this, we exploit the fact that any uniformly random matrix (with large enough dimensions) in the output ring

of the KHwPRF is computationally indistinguishable from a tensor product of two uniformly random vectors in theoutput ring of the KHwPRF. We introduce and prove certain statistical lemmas with respect to modules that, whencombined with the aforementioned observation, allow us to argue that the secret matrix SB is computationally hidden,even given both R(1)SB and SBR

(2). The security of the overall protocol then follows from this argument. We referthe reader to Section 4 for the detailed proof.

2.5 Indistinguishability Obfuscation

Our second (and main) contribution is a construction of iO forNC1 from any RKHwPRF. In Section 5, we in fact presentan iO construction from a substantially weaker primitive, namely ring-embedded homomorphic synthesizer (RHS).However, for simplicity of exposition, we present the construction from RKHwPRFs here.

We use the framework of [GLSW15] in order to prove iO security, as this is one of the few constructions builds iOfrom a program-independent assumption and in the standard model.1 More precisely, we build an input-activated iOscheme and adopt the machinery from [GLSW15] which shows that an input-activated iO scheme implies a full iOscheme.

In [GLSW15], the authors present an input-activated iO construction for NC1 from composite order multilinearmaps. More specifically, they base the security of their construction on an assumption called the multilinear subgroupelimination assumption. While their construction introduces many novel ideas for proving the security of iO from aprogram-independent assumption, their techniques are heavily tuned towards abelian groups. One of the key challengesthat we faced when trying to port their ideas to the setting of a generic primitive such as RKHwPRF is the lack of similaruseful properties, such as commutative multiplication and cyclic subgroups with explicit representation.2 Therefore,even though at a very high level, our input-activated iO construction has certain similarities with that of [GLSW15], weuse substantially different techniques to achieve both correctness and security.

1Most of the other program independent, standard-model constructions build iO through functional encryption [Lin17, LT17].2As the authors of [AMP19] pointed out, such explicit representations are not available in the output space of RKHwPRFs; otherwise an adversary

can break the security of the primitive by solving a system of modular equations.

11

We construct input-activated iO from generic RKHwPRFs as follows: we introduce an assumption (based on ageneric primitive, namely RKHwPRF) that can be loosely described as a nonabelian, matrix analogy of the multilinearsubgroup elimination assumption. We prove that this assumption holds over the output ring R of any RKHwPRF. Wethen show that such an assumption implies an input-activated iO scheme.

Construction Ideas and Challenges. Assume that any NC1 program is represented as an oblivious permutationbranching program P of width 5. Let P = {M`,0,M`,1}`∈[L], where L denotes the depth of P and each M`,b ∈{0, 1}5×5 is a permutation matrix. The first step in our construction is to embed each program matrix M`,b into a matrixM`,b of dimension m by m over the output ring R of the KHwPRF. We refer the reader to Section 5 for the details ofthe embedding technique.

The next step is to randomize each ring-embedded matrix M`,b using a Kilian-style randomization technique [Kil88].A natural approach (in line with existing constructions [GGH+13b]) is to generate a sequence of uniformly randommatrices {Y`}`∈[L] ← Rm×m and to use the a sequence of encodings {N`,b}`∈[L],b∈{0,1}, where

N`,b = Y−1` M`,bY`+1,

where YL+1 is assumed to be the identity matrix I. This would preserve the program’s functional behavior.However, recall that we are working over the output ring R of an RKHwPRF. This essentially means that there is no

efficient algorithm to compute inverses in R, (or they might not even exist for most elements). Even worse, computingmatrix pseudoinverses over the ring R is hard, since an efficient algorithm for the same would translate into an attackon the security of the RKHwPRF.

Some existing constructions based on generic graded encodings [BR14b] get around this issue by using the adjointmatrix Z` = adj(Y`) instead of the inverse matrix Y−1` , where Z` is composed of determinants of minors of Y`.However, these constructions use matrix encodings of constant dimensions, for which the adjoint matrices are efficientlycomputable.

It turns out that in our construction, we must use large matrices (i.e., of dimension 3 log |R|) in order to be able touse the leftover hash lemma. So it does not seem likely that the novel techniques of [BR14b] can be applied to ourconstruction. Therefore, for our iO construction, we have to develop an entirely new toolbox that deals with matrices ofring elements.

A Simplified Version of Our Construction. We now show a step-by-step process for building up a simplified versionof our iO construction. In particular, we show how to build an input-activated iO scheme. Using [GLSW15], we canleverage this into a full iO scheme for all functions in NC1. We define all of the relevant definitions and notions ofsecurity in Section 3, while the detailed construction and proof of security are presented in Section 5 and Section 7.Below, we describe a simplified version of our construction that captures many of the ideas that the full constructionbuilds on.

1. Permutation Branching Programs. We assume that any NC1 program is represented as an oblivious permuta-tion branching program P of width 5. Let P = {M`,0,M`,1}`∈[L], where L denotes the depth of P and eachM`,b ∈ {0, 1}5×5 is a permutation matrix. Also, let x1, . . . , xN denote the input variables, and let φ : [L]→ [N ]be a mapping such that for each ` ∈ [L], i = φ(`) indicates which variable xi controls the `th level branch.

2. Killian-Style Randomization. We uniformly sample additional permutation matricesZ1, . . . , ZL−1 ∈ {0, 1}5×5,and define a new set of matrices {N`,b}`∈[L],b∈{0,1}, where N`,b = Z−1`−1M`,bZ`, where Z0 and ZL are bothset to be the identity permutation. Note that the set of all permutation matrices over {0, 1}5×5 form a group,which implies that the aforementioned randomization technique information-theoretically hides the original setof permutation matrices, while retaining the program behavior as is.

3. Ring-Embedding Permutation Matrices. We will now use the following strategy to embed a permutationmatrix into the output ring R of the homomorphic synthesizer S. Given a permutation matrix N`,b ∈ {0, 1}5, its

12

ring-embedding N`,b is defined as a 5m× 5m matrix over the ring R of the form:

N`,b =

N`,b,1,1 . . . N`,b,1,5

.... . .

...N`,b,5,1 . . . N`,b,5,5

,where for each w, v ∈ [5], N`,b,w,v ∈ Rm×m is as defined below:

N`,b,w,v =

{0 if N`,b[w, v] = 0,

uniformly random otherwise.

4. Generating Guard Matrices. We generate a sequence of “guard” matrix-pairs {(L`,R`)}`∈[L] (over the ringR underlying the homomorphic synthesizer) such that the following conditions hold:

• For each ` ∈ [L], the “left guard” L` is of dimension c1cm× c2m and the “right guard” R` is of dimensionc2m× c1m where c1, c2 are parameters such that c1 >> c2. Intuitively, each left guard will be very “talland skinny” matrix, while each right guard is a “short and fat” matrix.

• For each ` ∈ [L− 1], we have R`L`+1 = D` ∈ Rc2m×c2m, where D` is a “block-diagonal” matrix of theform

D` = diag(D`,1,D`,2, . . . ,D`,c2m),

where for each j ∈ [c2m], D`,j is a square matrix of dimension m×m over the ring R. More formally,suppose that for some ` ∈ [L− 1], the guard matrices R` and L`+1 have the following structure:

R` =

−− −− R`,1 −− −−...

−− −− R`,c2m −− −−

, L`+1 =

| || |

L`+1,1 · · · L`+1,c2m

| || |

.Then for each j, j′ ∈ [c2m], we have

R`,jL`,j′ =

{D`,j if j = j′,

0 if j 6= j′.

We now show that such a sequence of matrix-pairs can be created efficiently. For each ` ∈ [L− 1] and parameterm as described above, do the following:

(a) Sample uniform matrices A` ← Rc2m×(c1/2−c2)m and B` ← Rc2m×(c1/2−c2)m, and set

Y` =[A` J

], Z` =

B`

J−1 (D−A`B`)

,where D` is a uniformly sampled “block-diagonal” matrix Rc2m×c2m as described above, and J is an uppertriangular matrix in Rc2m×c2m with an efficiently computable inverse (we refer the reader to Section 5 forthe details of how such a matrix can be efficiently sampled).

(b) Sample a uniform square matrix X` ← R(c1/2)m×(c1/2)m and a uniform matrix U` ← Rc2m×(c1/2)m, andset R` and L`+1 as:

R` =[U` U`X` + Y`

], L`+1 =

−X`Z`

Z`

13

It easy to see that for each ` ∈ [L− 1], we have

R`L`+1 = −U`X`Z` + (U`X` + Y`)Z` = Y`Z` = D.

Note that we do not explicitly generate the “end-guard” matrices L1 and RL. For the moment, we assume thatthese guard matrices are set to the identity matrix I over Rm×m.

5. The Construction. We are now ready to describe a simplified version of our iO construction. Given an obliviousbranching program of depth L, the obfuscation algorithm does the following:

(a) Step 1: Construct a sequence of ring-embedded permutation matrices of the form {N`,b}`∈[L],b∈{0,1} asdescribed above.

(b) Step 2: Generate a sequence of “guard” matrix-pairs {(L`,R`)}`∈[L] satisfying the constraints as describedabove, for parameters c2 = 5 and c1 >> 5.

(c) Step 3: Generate a sequence of 2L “guarded” program matrix encodings {N`,b}`∈[L],b∈{0,1}, whereN`,b = L`N`,bR`.

6. Evaluation and Zero Testing. To efficiently evaluate the program on an input x = (x1, . . . , xN ), one cancompute the following “subset-product” of the “guarded” program matrix encodings: Q =

∏L`=1 N`,xφ(`) . It is

easy to see that the final product Q is matrix of dimension 5m× 5m. Suppose, Q = {Qw,v}w,v∈[5] where eachQw,v has dimension m×m.

Also, let Q be the permutation matrix resulting from performing the same “subset-product” on the actualpermutation matrices in the clear, i.e., let Q =

∏L`=1 M`,xφ(`) . The zero test procedure crucially uses the

following relation that holds with overwhelmingly large probability between each submatrix Qw,v and thepermutation matrix Q for any (w, v) ∈ [5]× [5]:

Qw,v = 0 if and only if Q[w, v] = 0.

The zero test will then choose a single non-diagonal entry (i, j). Note that this entry is non-zero whenever thebranching program outputs 0, i.e., whenever the matrix product Q is not the identity permutation matrix. Hence,it suffices to check whether the corresponding submatrix Qi,j is zero.

Enforcing Consistency. We now augment the aforementioned construction to enforce input consistency. In otherwords, for a variable xi that is associated with multiple levels of the program, the check should enforce that the samevalue of xi is used at all of the associated levels. We handle this in our construction by making two main alterations tothe previous construction:

1. Generating Program-Carrying Matrices. Recall that in the previous construction, at each level ` ∈ [L] andfor each bit b ∈ {0, 1}, we had a ring-embedded permutation matrix N`,b of dimension 5m× 5m, structured asfollows:

N`,b =

N`,b,1,1 . . . N`,b,1,5

.... . .

...N`,b,5,1 . . . N`,b,5,5

,

14

For each level ` ∈ [L] and for each bit b ∈ {0, 1}, we now construct a set of 5·5 block diagonal “program-carryingmatrices” {P`,b,w,v}w,v∈[5], each of dimension (2(L+N) + 1)m× (2(L+N) + 1)m, where each P`,b,w,v isstructured as:

N`,b,w,v

C(`,1),(b,0),(w,v)

C(`,1),(b,1),(w,v)

. . .C(`,L+N),(b,0),(w,v)

C(`,L+N),(b,1),(w,v)

,

where for each ` ∈ [L], each `′ ∈ [L+N ], each b, b′ ∈ {0, 1} and each matrix position (w, v) ∈ [5]× [5], wehave

C(`,`′),(b,b′),(w,v) =

{0 if (`′, b′) = (`, 1− b),uniform in Rm×m otherwise.

2. Generating Enforcer Matrices. Next, for each variable index i ∈ [N ] and for each bit b ∈ {0, 1}, we constructan additional set of block diagonal “enforcer matrices” Ei,b of dimension (2(L+N) + 1)m× (2(L+N) + 1)m,structured as:

Ei,b =

Ti,b

C(i,1),(b,0)

C(i,1),(b,1)

. . .C(i,L+N),(b,0)

C(i,L+N),(b,1)

,

where for each i ∈ [N ], each `′ ∈ [L+N ], and each b, b′ ∈ {0, 1}, we have Ti,b ← Rm×m, and

C(`,`′),(b,b′) =

{0 if (i, b′) = (φ(`), b),

uniform in Rm×m otherwise,

where recall that φ : [L] → [N ] is a mapping such that for each ` ∈ [L], i = φ(`) indicates which variable xicontrols the `th level branch.

3. Guarding Program-Carrying And Enforcer Matrices. As before, we generate a sequence of “guard” matrix-pairs. We now need 2(L+N) guard matrices in order to cover both the program-carrying and enforcer matrices.More specifically, we generate a sequence of guard matrices {(L`,R`)}`∈[L+N ] satisfying the same constraints,albeit for parameters c2 = 2(L+N) + 1 and c1 >> 2(L+N) + 1.

Note that one difference from the simple iO construction presented earlier is in how we generate the “end-guard”matrices L1 and RL. In the simple construction, we assumed that these guard matrices were set to the identitymatrix I over Rm×m. For this construction, we structure them as multiple copies of the identity matrix “stacked”horizontally (for L1) and vertically (for RL), respectively.

Finally, we output a sequence of (5 · 5 · 2L+ 2N) “guarded” matrix encodings:{P`,b,w,v = L`P`,b,w,vR`

}`∈[L+N ],b∈{0,1},w,v∈[5]

,

{Ei,b = LL+iEi,bRL+i

}i∈[N ],b∈{0,1}

.

15

Evaluation and Zero-testing. To efficiently evaluate the program on an input x = (x1, . . . , xN ), one can computethe following “subset-product” of the “guarded” program matrix encodings: Q =

∏L`=1 P`,xφ(`) , where each P`,xφ(`)

may be viewed as a 5× 5 super-matrix of the corresponding program-carrying matrices {P`,xφ(`),w,v}w,v∈[5]. Suppose,Q = {Qw,v}w,v∈[5].

The zero test chooses a single non-diagonal entry Q(w, v) and computes Q′ = Qw,v

∏Ni=1 EL+i,xi . Observe that

Q′ is a matrix of dimension m×m. At this point, the zero test simply checks if Q′ = 0.

Correctness. We first observe that the consistency-check sub-matrices do not contribute to the result. To see this,observe the following:

1. For each (`, b), if b 6= xφ(`), then the consistency submatrices in the corresponding diagonal slot do not contributeto the final product since there is a zero submatrix in this diagonal slot in the program carrying matrix P`,xφ(`),w,vfor every (w, v) ∈ [5]× [5].

2. For each (`, b), if b = xφ(`), then the consistency submatrices in the corresponding diagonal slot do not contributeto the final product since there is a zero submatrix in this diagonal slot in the enforcer matrix EL+φ(`),xφ(`) .

Thus the only potential contributions to the value of Q′ come from the diagonal slots corresponding to the ring-embedded permutation matrices. It is now easy to see that Q′ 6= 0 if and only if the plaintext matrix subset-product Qhas a non-zero entry in the position (i, j), indicating that the program P outputs 0 on input x.

Parallel Program Execution. The next challenge towards our eventual goal of building iaiO is to be able to evaluatemultiple oblivious branching programs in parallel on the same set of inputs (where each program has the same sizeand the same level-to-input mapping, but potentially differs in the contents of their matrices). We refer the readerto Section 5 for details on how to handle input activations for multiple programs being executed in parallel, and toSection 7 for the detailed proof of security.

2.6 A New iO Construction from “The MMap Strikes Back”In [MZ18], Ma and Zhandry proposed a candidate asymmetric multilinear map scheme (referred to as the MZ18 MMaphenceforth), that is based on the [CLT13] multilinear map, albeit with significant technical alterations to provablysubvert zeroizing attacks [CLLT17]. To our knowledge, the MZ18 MMap is the only published candidate multilinearmap that has not been publicly broken. In addition, the SXDH assumption plausibly holds for the MZ18 MMap.

We provide here a high-level overview of how the MZ18 MMap works . It encodes plaintexts from a ring R intomatrices, where each such matrix encoding is associated with an interval level [i, j] such that i ≤ j ≤ N (N being thedegree of the MMap). At a high level, two kinds of operations are defined over the MZ18 MMap encodings - additionand multiplication. The addition operation is only defined between encodings that belong to the same interval-level[i, j], while the multiplication operation is only defined between encodings at “adjacent” interval-levels, i.e., it is onlypossible to multiply encodings at levels [i, j] and [j + 1, k] such that i, j, k ∈ [N ] and i ≤ j < k, and this results in anencoding at the level [i, `]. Adding and multiplying encodings of plaintext elements a and b produces encodings of(a+ b) and (a · b), respectively, albeit at potentially different interval-levels.

In Section 12, we prove that the MZ18 MMap implies a secure slotted partial RKHwPRF, under the assumption thatSXDH is hard over the MZ18 MMap encodings. This gives the first secure iO construction based on the MZ18 MMap.Below, we provide some intuition into how the instantiation is achieved.

First of all, our definitions of slotted partial RKHwPRF families only require that weak PRF outputs from different“slots” can only be multiplied in a fixed pre-determined order, which matches closely the “interval”-based restrictionsimposed on multiplications of encodings by the authors of [MZ18], and allows us to use these intervals as slots. Inaddition, our definitions only require “partial” homomorphism, which accounts for the fact that the MZ18 MMapencodings are randomized and use “noisy” encodings from the [CLT13] MMap. We also show how to adopt the MZ18zero test into an appropriate zero test for the slotted partial RKHwPRF family it implies.

16

Most importantly, though, our definitions and constructions are generic enough to encompass rings that arenoncommutative. The MZ18 MMap uses matrix-based encodings of plaintext elements and crucially relies on thenoncommutative nature of matrix multiplication to subvert zeriozing attacks; yet this has also made it difficult toinstantiate iO from the MZ18 MMap using known techniques that are designed to work over fields or small-dimensionalmatrix rings, as opposed to generic matrix rings. Our key contribution is in developing techniques to work over matrixrings with arbitrarily large dimensions.

2.7 Negative Results and DiscussionImpossibility of FHS. We prove that field-embedded homomorphic synthesizers (FHS) are impossible to realize.This follows from two contradicting observations: first, that the subset sum indistinguishability we have been describingso far should hold due to the definition of the FHS, and second, that it cannot, due to the fact that we can efficientlycompute inverses on the output field.

To see this, let R ∈ Y2n×n be a matrix sampled randomly from the output space of an FHS. We let R1,R2 ∈ Yn×nbe defined such that

R =

[R1

R2

]By what we have shown earlier and by the definition of an FHS, it is required that the tuple (R,RT) is indistinguishablefrom random for a randomly sampled T← Yn×n. But since Y is a field, we can compute inverses (and pseudoinverses,if necessary) over both elements of Y and matrices of elements of Y .

So given (R1,R1T) and (R2,R2T), we can compute R−11 and R−12 and check that

R−11 (R1T) = R−12 (R2T) .

On the other hand, this holds with negligible probability if R1T and R2T are replaced with truly random matrices.Thus we build a distinguisher that breaks the security of any FHS. This rules out the existence of both field-homomorphicsynthesizers and field-homomorphic weak PRFs.

As we mentioned in the introduction, it does not seem likely that our attacks here can be extended to the ring casebecause it is not known how to compute kernels or inverses over general rings [ADM06, Jag12, YYHK18].

Cryptography and Mathematical Structure. We highlight that our results make progress towards completing thepathway from generic algebraically structured primitives to cryptographic applications that was originally initiatedin [AMPR19, AMP19]. Specifically, by realizing iO from an RKHwPRF it seems that most of the well-knowncryptographic primitives can be constructed in a generic manner from Minicrypt primitives endowed with additionalalgebraic structure. Most of the primitives that these existing frameworks relating mathematical structure to cryptographycannot handle seem to follow from assumptions that are even more structured than what we consider here.

Relationship to Generic/Idealized Models. A natural question to ask is what RKHwPRFs (or RHSs) offer incomparison with generic multilinear map or graded encoding models, which are also used to construct iO and NIKE (ananalogous comparison would be KHwPRFs versus the generic group model [Sho97]). The generic/idealized models areuseful for the purposes of abstraction and even more importantly, to prove lower bounds/negative results [MMN16, Ps16].However, while a generic multilinear map or graded encoding is inherently limited from an instantiation point of view,it may be possible to securely instantiate an RKHwPRF. In other words, an RKHwPRF is a “standard-model” primitive,unlike generic graded encodings/multilinear maps.

In the same vein, iO constructions in the generic/idealized models are inherently unable to obfuscate primitive-dependent circuits since the “code” implementing a generic graded encoding/multilinear map is unavailable. By contrast,an iO construction based on an RKHwPRF is able to obfuscate any program that uses the “code” implementing theRKHwPRF itself. Moreover, cryptographic implications in the generic/idealized models can be too powerful; as aconcrete example, virtual black-box obfuscation is realizable in the generic graded encoding model [BR14b, BGK+14],but not in the standard model [BGI+01].

Finally, RKHwPRFs are less structured than existing generic models: our constructions from RKHwPRFs workover any rings. To our knowledge, all traditional generic graded encoding models [BR14b, BR14a] require at least one

17

large cyclic group in the ring or field that they use for computation, along with its explicit representation. We hope thatrelaxing such requirements might lead to new candidate constructions for iO/NIKE.

3 Preliminaries

3.1 NotationFor any positive integer n, we use [n] to denote the set {1, . . . , n}. For two positive integers m and n we denote the set{m,m+ 1, . . . , n} by [m,n]. We use λ for the security parameter. We use the symbols ⊕ and ⊗ as ring operationsdefined in the context. We assume that rings have multiplicative identity element. For a finite set S, we use s← S tosample uniformly from the set S.

Let (R,⊕,⊗) be an arbitrary finite ring. We denote the additive/multiplicative identity of R by 0R/1R. We definethe multiplication of two matrices of ring elements in the natural way: for two arbitrary matrices

A = [aij ]{i∈[`],j∈[m]} ∈ R`×m , B = [bij ]{i∈[m],j∈[n]} ∈ Rm×n,

their product C = [cij ]{i∈[`],j∈[n]} = AB is defined as

cij = (ai,1 ⊗ b1,j)⊕ (ai,2 ⊗ b2,j)⊕ · · · ⊕ (ai,m ⊗ bm,j).

3.2 (Symmetric) Cryptographic Primitives

Weak Pseudorandom Functions. If G : X → Y is a function, let G$ denote a randomized oracle that, when invoked,samples x← X uniformly and outputs (x,G(x)). A keyed function family is a function F : K ×X → Y such that Kis the key space and X,Y are input and output spaces, respectively. We may use the notation Fk(x) to denote F (k, x).A weak pseudorandom function (wPRF) family is an efficiently computable (keyed) function family F such that for allPPT adversaries A we have ∣∣∣Pr[AF

$k = 1]− Pr[AU

$

= 1]∣∣∣ ≤ negl(λ),

where k ← K, and U : X → Y is a truly random function. Roughly speaking, the security requirement is that givenaccess to polynomially many (random) input-output pairs of the form (xi, yi), no attacker can distinguish between thereal experiment where yi = Fk(xi) and the ideal experiment where yi = U(xi) for a truly random function U .

(Pseudorandom) Synthesizers. Let ` and m be (polynomially bounded) integers, and let S : X × Y → Z be anefficiently computable function. Assume that x ← X` and y ∈ Y m are two uniformly chosen vectors, and letZ ← Z`×m be a uniformly chosen matrix. We say that S is a pseudorandom synthesizer if for any probabilisticpolynomial time (PPT) attacker we have

[S(x,y)]c≈ Z,

where [S(x,y)] is an `×m matrix whose ijth entry is S(xi, yj).

3.3 Homomorphic PrimitivesWe endow weak PRFs and (pseudorandom) synthesizers with ring homomorphism. We remark that it is also possibleto define the notion of bounded homomorphism, similar to [AMPR19] and [AMP19] using a universal mapping thathandles a bounded number of homomorphism. See [AMPR19] and [AMP19] for more details.

Definition 3.1. (Ring Key-Homomorphic Weak PRF.) A weak PRF family F : K × X → Y is a Ring Key-Komomorphic weak PRF (RKHwPRF) family if it satisfies the following two properties:

• (K,⊕,⊗) and (Y,�,�) are efficiently samplable (finite) rings with efficiently computable ring operations.

• For any x ∈ X the function F (·, x) : K → Y is a ring homomorphism, i.e., for any x ∈ X and k, k′ ∈ K wehave

F (k ⊕ k′, x) = F (k, x)� F (k′, x) , F (k ⊗ k′, x) = F (k, x)� F (k′, x) , F (1K , x) = 1Y .

18

Definition 3.2. (Ring Input-Homomorphic Weak PRF.) A weak PRF family F : K × X → Y is a Ring Input-Komomorphic weak PRF (RIHwPRF) family if it satisfies the following two properties:

• (X,⊕,⊗) and (Y,�,�) are efficiently samplable (finite) rings with efficiently computable ring operations.

• For any k ∈ K the function F (k, ·) : X → Y is a ring homomorphism, i.e., for any k ∈ K and x, x′ ∈ X wehave

F (k, x⊕ x′) = F (k, x)� F (k, x′) , F (k, x⊗ x′) = F (k, x)� F (k, x′) , F (k, 1X) = 1Y .

Definition 3.3. (Ring-Embedded Homomorphic Synthesizer.) A Ring-Embedded Homomorphic Synthesizer S :X ×G→ R is a synthesizer that satisfies the following properties:

• (G,⊕) is an efficiently samplable (finite) group with efficiently computable group operation.

• (R,�,�) is an efficiently samplable (finite) ring with efficiently computable ring operations.

• For any x ∈ X the function S(x, ·) : G→ R is a group homomorphism, i.e., for any x ∈ X and r1, r2 ∈ R wehave

S(x, g1 ⊕ g2) = S(x, r1)� S(x, r2)

It is easy to see that a ring-embedded homomorphic synthesizer is implied by an RKHwPRF or an RIHwPRF (forwhich the input space does not depend on the choice of the key).

3.4 Indistinguishability Obfuscation (iO)

Here we recall the definition of indistinguishability obfuscation (iO) from [BGI+01].

Definition 3.4. A PPT algorithm Obf is an indistinguishability obfuscator for a circuit family Cλ with input space{0, 1}`(λ) if:

• Correctness: For every circuit C ∈ Cλ and every input x ∈ {0, 1}`(λ) we have:

Pr[C(x) = C ′(x) : C ′ ← Obf(C)] = 1,

where the probability is taken over the randomness of Obf algorithm.

• Security: For any PPT adversary A and for any two functionally equivalent circuits C1 ∈ Cλ and C2 ∈ Cλ suchthat |C0| = |C1|, it holds that:

|Pr[A(λ,C0) = 1]− Pr[A(λ,C1) = 1]| ≤ negl(λ).

3.5 Input-Activated ObfuscationIn this part, we present a concise definition of an abstraction called input-activated obfuscation which is presentedin [GLSW15]. We refer the reader to [GLSW15] for more details.

Let P = {P1, . . . , P`} be a set of ` programs, where each program comes from a family Pλ. Let M be an n× `× 2dimensional matrix (array) of binary elements, where Mi,j,β ∈ {0, 1} for i ∈ [n], j ∈ [`] and β ∈ {0, 1}. We also leti/j/β to denote the row, column, and “slot” of the matrix M . For each column of M we define a boolean functionfj : {0, 1}n → {0, 1}, where the program Pj is active on the input iff fj(x) = 1. The function fj(x) is defined to 1when Mi,j,xi = 1 for all i ∈ [n], and 0 otherwise.

An input-activated obfuscation is a pair of algorithms Create,Eval where:

• Create: The creation algorithm takes λ,M,P as input and creates an input-activated obfuscation T .

• Eval: The evaluation algorithm takes an input-activated obfuscation T and an input x ∈ {0, 1}n, and outputs abit.

19

Correctness. Let Sx ⊆ [`] denote the set of all (column) indices j such that fj(x) = 1. The correctness requires thatif Sx 6= ∅ and Pj = Pj′ for all j, j′ ∈ Sx, then Eval(T, x) = Pj(x) for all j ∈ Sx.

Inter-column Security. This game is parameterized by λ,M,P , two column indices j, k, a row index i∗, and a slotindex β such that Mi∗,j,β = 1. We assume that program descriptions Pj and Pk are identical. We also assume that forevery row i 6= i∗ and slot γ = 1− β, if Mi,k,γ = 1 then Mi,j,γ = 1. (This means that the column j dominates columnk)

The game proceeds as follows. First, the challenger samples a bit b. If b = 0, it runs Create(λ,M,P ) to produceT . If b = 1, it forms M ′ by copying M and flipping the (i∗, k, β)th entry. It then gives T to the adversary whereT is Create(λ,M ′, P ). The advantage of the adversary is defined to be the probability that it guesses the bit b. Aninput-activated obfuscation satisfies inter-column security if the advantage of any PPT adversary in the mentioned gameis negligible.

Intra-column Security. This game is parameterized by λ,M,P , an index j such that exists a row i∗ where thecorresponding slots are both 0, and two alternate columns C0 and C1 such that the i∗ row has both slots equal to 0.

The game proceeds as follows. First, the challenger samples a bit b. If b = 0, it runs Create(λ,M,P ) to produceT . If b = 1, it forms M ′ replacing jth column of M (in two slots) with C0 and C1 respectively. It then gives T to theadversary where T is Create(λ,M ′, P ). The advantage of the adversary is defined to be the probability that it guessesthe bit b. An input-activated obfuscation satisfies intra-column security if the advantage of any PPT adversary in thementioned game is negligible.

Completely Inactive Program Security. This game is parameterized by λ,M,P , an alternate program P ∗, and anindex j such that jth column contains all zero entries in both slots.

The game proceeds as follows. First, the challenger samples a bit b. If b = 0, it runs Create(λ,M,P ) to produceT . If b = 1, it forms P ′ by modifying P to replace the jth program with P ∗. It then gives T to the adversary whereT is Create(λ,M ′, P ′). The advantage of the adversary is defined to be the probability that it guesses the bit b. Aninput-activated obfuscation satisfies completely inactive program security if the advantage of any PPT adversary in thementioned game is negligible.

Single-input Program Security. This game is parameterized by λ,M,P , an alternate program P ∗, and an indexj such that jth column of M corresponds to a point function fj where fj evaluates to 1 on a single input x∗, andP ∗(x∗) = Pj(x

∗).The game proceeds as follows. First, the challenger samples a bit b. If b = 0, it runs Create(λ,M,P ) to produce

T . If b = 1, it forms P ′ by modifying P to replace the jth program with P ∗. It then gives T to the adversary whereT is Create(λ,M ′, P ′). The advantage of the adversary is defined to be the probability that it guesses the bit b. Aninput-activated obfuscation satisfies single-input program switching security if the advantage of any PPT adversary inthe mentioned game is negligible.

3.6 Leftover Hash LemmaWe consider the following lemmata which are related to the leftover hash lemma [IZ89], and its special cases over rings.

Lemma 3.5. Let X1 and X2 be two independent and identically distributed random variables with finite support S. IfPr[X1 = X2] ≤ (1 + 4ε2)/|S|, then the statistical distance between the uniform distribution over S and X1 is at mostε.

We remark that since the additive group of any ring is abelian, the following statement follows from uniformity (akaregularity) of subset sum over finite (abelian) groups.

Lemma 3.6. Let R be a finite ring with additive/multiplicative identity 0R/1R, and let m > 3 log|R|. Assume thatr← Rm is a vector of uniformly chosen ring elements. For any (unbounded) adversary we have

(r, rts)s≈ (r,u),

20

where u← Rm is an m-dimensional vector of uniformly chosen ring elements and s← {0R, 1R}m.

We also need the following simple statement. A proof can be found in [Mic02].

Lemma 3.7. Let R be a finite ring, and let r = (r1, . . . , rm) be an arbitrary vector in Rm. If u ← Rm, then thedistribution of utr (respectively, rtu) is uniform over the left (respectively, right) ideal in R generated by the set(r1, . . . , rm).

4 Noninteractive Multiparty Key ExchangeIn this section, we show a construction of noninteractive multiparty key exchange from a ring-embedded homomorphicsynthesizer. As we mentioned before, it is straightforward to show that a ring-homomorphic synthesizer is implied byeither any RIHwPRF (for which the input space does not depend on the choice of the key) or any RKHwPRF. First, wemention a hardness assumption that is implied by ring-homomorphic synthesizers. The following theorem is adaptingthe Theorem 1 of [AMP19] to ring-embedded homomorphic synthesizers.

Theorem 4.1. Let S : X × G → R be a ring-embedded homomorphic synthesizer, and let m = poly(λ) be an(arbitrary) positive integer. Let d = poly(λ) be such that d > 3 log|G|. Let R ← Rm×d be matrix of ring elementssuch that each entry ri,j (for i ∈ [m], j ∈ [d]) is drawn uniformly and independently from R. If s← {0R, 1R}d, thenfor any PPT adversary we have

(R,Rs)c≈ (R,u)

where u← Rm is a vector of uniformly chosen ring elements from R.

Proof. The proof is almost identical to the proof of Theorem 1 of [AMP19], and we sketch an argument here. First, wedefine a matrix M ∈ Rm×d as Mi,j = S(xi, gj), where xi ← X, gj ← G (for i ∈ [m], j ∈ [d]) are chosen uniformlyand independently. We also define the vector g as g = (g1, . . . , gd). Now, we show that (M,Ms)

c≈ (R,u) where

R ∈ Rm×d (resp. u ∈ Rm) is a uniformly chosen matrix (resp., vector) of ring elements. Using the homomorphism ofS and by the leftover hash lemma over rings (Lemma 3.6) we can write

Ms =

S (x1,

⊕s g)

S (x2,⊕

s g)...

S (xm,⊕

s g)

s≈

S (x1, g

∗)S (x2, g

∗)...

S (xm, g∗)

,

where g∗ ← G is uniformly chosen. By the pseudorandomness property of S, we have (M,Ms)c≈ (R,u). Observe

that since Mc≈ R, a straightforward reduction implies that (M,Ms)

c≈ (R,Rs). By triangle inequality, it follows that

(R,Rs)c≈ (R,u), as required.

Theorem 4.2. Let S : X ×G→ R be a ring-embedded homomorphic synthesizer, and let m = poly(λ) be a positiveinteger such that m > 3 log|G|. Let Mm(R) be the matrix ring over R, i.e., the ring of m by m square matrices overR. If F : Mm(R)×Mm(R)→ Mm(R) be the function defined by F (K,X) = X�K, then F is a weak PRF (andhence a synthesizer). In addition, F satisfies (right) Mm(R)-module homomorphism over the key space, i.e., for anyK,K′,X ∈ Mm(R) we have

F (K�K′,X) = F (K,X)� F (K′,X) , F (K�K′,X) = F (K,X)�K′,

where (�,�) is addition and multiplication over Mm(R), respectively.

Proof. Observe that (right) Mm(R)-module homomorphism of F over the key space is easy to verify. We now provethe weak pseudorandomness of F . Let Q = poly(λ) be any arbitrary positive integer. It is enough to show that

(A,AK)c≈ (A,U),

21

where A← RQm×m and U← RQm×m. One can view (A,AK) as stacking up Q input-output pairs in the real (weakPRF) game. By Theorem 4.1, we have

(A,As)c≈ (A,u),

where s ← {0R, 1R}m and u ← Rm. It is easy to see that if k ← Rm, then the distributions of k and s + k areidentical, where + denotes component-wise addition in Rm induced by R. It follows that

(A,Ak)s≈ (A,A(k + s))

c≈ (A,Ak + u)

s≈ (A,u′),

where u′ ← Rm. By applying a standard hybrid argument over the columns of AK, and using the fact that(A,Ak)

c≈ (A,u), it follows that

(A,AK)c≈ (A,U).

Noninteractive Three Party Key Exchange. Here we start with the simpler case of (noninteractive) three party keyexchange protocol from any ring-embedded homomorphic synthesizer. Later, we show how to construct a noninteractivekey exchange protocol for more than three parties, and we formally prove its security.

Given a ring-embedded homomorphic synthesizer S : X × G → R, we first fix parameters m > 3 log|G| andn > 6m2 log(|R|). Let R = Mm(R) denote m by m square matrices over R. We remark that log(|Rn×n|) ispolynomial in the security parameter, and hence elements ofRn×n can be represented using polynomially many bits.

We also assume that R(1) ← Rn×n and R(2) ← Rn×n are two matrices of uniformly chosen ring elements, andthey are published as public parameters of the protocol. The protocol is described as follows:

• Alice generates her own (secret) randomness SA ← Rn×n, and publishes PA := SAR(1).

• Bob chooses his randomness as SB ← Rn×n, and publishes (P(1)B ,P

(2)B ) where

P(1)B := R(1)SB , P

(2)B := SBR

(2).

• Charlies generates his randomness asRn×n, and publishes PC := R(2)SC .

• The final shared secret is S := SAR(1)SBR

(2)SC . Alice/Bob/Charlie can compute the final secret S as

S = SAR(1)SBR

(2)SC = SAP(1)B PC (Alice)

= PASBPC (Bob)

= PAP(2)B SC (Charlie).

We formally prove the secruity of mentioned key exchange protocol via the following theorem:

Theorem 4.3. Let S : X × G → R be a ring-embedded homomorphic synthesizer, and assume that m and n beintegers such that m > 3 log|G| and n > 6m2 log(|R|). Let R = Mm(R) denote m by m square matrices matricesover R. If R(1) ← Rn×n and R(2) ← Rn×n are two matrices of uniformly chosen ring elements, for any PPTadversary we have

(R(1),R(2),SAR(1),R(1)SB ,SBR


(2)SC)c≈ (R(1),R(2),SAR

(1),R(1)SB ,SBR(2),R(2)SC ,U)

where SA,SB ,SC ← Rn×n are uniformly chosen (secret) matrices, and U← Rn×n.

Before explaining the proof, we show a few auxiliary lemmata that will be crucial for proving the security of theprotocol.

22

Lemma 4.4. Let R be a finite ring, and let m > 6 log |R|. For a vector r ∈ Rm, let LKer(r) be the set of all vectorsw ∈ Rm such that wtr = 0R. If u← Rm and r← Rm, we have

(r,u,vtu)s≈ (r,u, s),

where v← LKer(r) and s← R.

Proof. We split the vectors as u = (u1,u2), r = (r1, r2), v = (v1,v2) such that u2, r2, and v2 all live in R3 log(|R|).By Lemma 3.6, it follows that if r2 is sampled uniformly, then (with overwhelming probability over the choice of r2)the (left) ideal generated by components of r2 is R, since otherwise the (left) ideal generated by r2 would not coverat least half of the elements in R (recall that any proper additive subgroup of R cannot contain more than half of theelements of R). Moreover, if a is sampled uniformly from R3 log(|R|) then atr2 is (statistically close to) uniform overR . It follows that

(r,v1,v2)s≈ (r,u′1,u

′2),

where u′1 ← Rm−3 log(|R|) is sampled uniformly and independently, and u′2 ∈ R3 log (|R|) is sampled conditioned onut1r1 + ut2r2 = 0R. This means that to generate a (statistically close to) uniform vector v in LKer(r), one can samplethe first m− 3 log (|R|) components (which is v1) uniformly, and generate the rest of the components (which is v2)conditioned on vt1r1 + vt2r2 = 0R. In particular, this implies that first m− 3 log(|R|) > 3 log(|R|) components of vgenerate R. By applying Lemma 3.7 and using the fact that components of v1 (and hence components of v) generate Rwith overwhelming probability, it follows that

(r,vtu)s≈ (r, s).

Now we compute the collision probability for two independent instances of (r,u,vtu) as

Pr[(r,u,vtu) = (r′,u′,v′tu′)] = Pr[vtu = v′

tu′ | r = r′,u = u′] · Pr[r = r′,u = u′]

= Pr[ut(v − v′) = 0R] · |R|−2m

= Pr[utv = 0R] · |R|−2m ≤ (1 + negl) · |R|−2m−1,

where the inequality follows from (r,vtu)s≈ (r, s), and the last equality follows from the fact that distribution of

v − v′ is identical to that of v (because LKer(r) forms an additive group). By applying Lemma 3.5, it follows that

(r,u,vtu)s≈ (r,u, s),

as required.

We also need the following lemma. The proof is identical to the previous case.

Lemma 4.5. Let R be a finite ring, and let m > 6 log |R|. For a vector r ∈ Rm, let RKer(r) be the set of all vectorsw ∈ Rm such that rtw = 0R. If u← Rm and r← Rm, we have

(r,u,utv)s≈ (r,u, s),

where v← RKer(r) and s← Rm.

Lemma 4.6. Let R be a finite ring, and let m > 6 log |R|. If r, r′,u,u′ ← Rm be four uniformly chosen vectors, andS← Rm×m be a uniformly chosen matrix of ring elements, we have

(r, r′, rtS,Sr′,u,u′,utSu′)s≈ (r, r′, rtS,Sr′,u,u′, s),

where s← R is a uniformly chosen single ring element.

23

Proof. Let M ∈ Rm×m be a matrix such that each column of M is uniformly and independently chosen from RKer(r).Similarly, let M′ ∈ Rm×m be matrix such that each row of M′ is uniformly and independently chosen from LKer(r′).Clearly, we have rtM = 0 and Mr′ = 0. Observe that if S is a uniform matrix, then S and S + MM′ are statisticallyindistinguishable, where + denotes the matrix addition induced by R. By replacing S with S + MM′, it is enough toshow that

(r, r′, rtS,Sr′,u,u′,utSu′ + utMM′u′)s≈ (r, r′, rtS,Sr′,u,u′, s).

Now consider the term utMM′u′. Since both M and M′ sampled independently from S, it suffices to prove that

(r, r′,u,u′,utMM′u′)s≈ (r, r′,u,u′, s).

By Lemma 4.5, and a simple (statistical) hybrid argument over the columns of M, it follows that

(r, r′,u,u′,utMM′u′)s≈ (r, r′,u,u′,vtM′u′),

where v← Rm is a uniform vector. Similarly, by Lemma 4.4 and using a hybrid argument over the rows of M′, we get

(r, r′,u,u′,vtM′u′)s≈ (r, r′,u,u′,vtv′),

where v′ ← Rm. Since v and v′ are uniform and independent of other terms, by Lemma 3.6 and Lemma 3.7 it followsthat

(r, r′,u,u′,vtv′)s≈ (r, r′,u,u′, s).

By triangle inequality, we conclude that

(r, r′, rtS,Sr′,u,u′,utSu′)s≈ (r, r′, rtS,Sr′,u,u′, s).

Now we prove the following lemma, which may be viewed as a weaker version of Theorem 4.3 where we used vectorssA and sC (instead of matrices) as Alice’s and Charlie’s secrets, respectively.

Lemma 4.7. Let S : X × G → R be a ring-embedded homomorphic synthesizer, and assume that m and n beintegers such that m > 3 log|G| and n > 6m2 log(|R|). LetR = Mm(R) denote m by m square matrices over R. IfR(1) ← Rn×n and R(2) ← Rn×n are two matrices of uniformly chosen ring elements, for any PPT adversary we have

(R(1),R(2), stAR(1),R(1)SB ,SBR

(2),R(2)sC , stAR

(1)SBR(2)sC)

c≈ (R(1),R(2), stAR

(1),R(1)SB ,SBR(2),R(2)sC , u),

where sA ← Rn,SB ← Rn×n, sC ← Rn, and u← R.

Proof. First, we define the following hybrids:

• H0: This corresponds to the “real” game, which is the tuple

(R(1),R(2), stAR(1),R(1)SB ,SBR

(2),R(2)sC , stAR

(1)SBR(2)sC).

• H1 In this hybrid, we replace the vector stAR(1) with a uniformly chosen vector ut1 ← Rn, i.e., the corresponding

tuple is(R(1),R(2),ut1,R

(1)SB ,SBR(2),R(2)SC ,u

t1SBR

(2)sC).

• H2: In this hybrid, we replace R(2)sC with a uniformly chosen vector u2 ← Rn, i.e., the corresponding tuple is

(R(1),R(2),ut1,R(1)SB ,SBR

(2),u2,ut1SBu2).

• H3: In this hybrid, we replace the term ut1SBu2 with a uniform element u← R, i.e., the corresponding tuple is

(R(1),R(2),u1,R(1)SB ,SBR

(2),u2, u).

24

• H4: In this hybrid, we replace ut1 with stAR(1), i.e., the corresponding tuple is

(R(1),R(2), stAR(1),R(1)SB ,SBR

(2),u2, u).

• H5: This corresponds to “ideal” game, and we replace u2 with R(2)sC . So the tuple is

(R(1),R(2), stAR(1),R(1)SB ,SBR

(2),R(2)sC , u).

Now we show that consecutive hybrids are indistinguishable, which implies the security of key exchange protocol.

• H0c≈ H1: By applying Theorem 4.1 and 4.2, if R ← Rn×n and s ← Rn then we have (R, stR)

c≈ (R,ut).

Assuming there is an attacker A that distinguishes H0 and H1, we construct an attacker B that distinguishes(R, stR) and (R,ut). Given a pair of the form (R, rt) (where r is either stR or random), the reduction(uniformly) samples R(2) ← Rn×n,SB ← Rn×n, sC ← Rn and sets R(1) := R. It then runs A on thefollowing tuple

(R(1),R(2), rt,R(1)SB ,SBR(2),R(2)sC , r

tSBR(2)sC).

Observe that if rt = stR, the tuple corresponds toH0. If rt is random, the tuple corresponds toH1. Hence, thereduction perfectly simulates the consecutive hybrids. It follows thatH0

c≈ H1.

• H1c≈ H2: This is similar to the proof ofH0

c≈ H1.

• H2c≈ H3: For two vectors x ∈ Rn1 and y ∈ Rn2 , let F (x,y) be an n1 by n2 matrix whose ij’th entry is xiyj .

We remark that we use the same notation for row vectors as well, so clearly we have

F (x,y) = F (xt,yt) = F (xt,y) = F (x,yt).

By Theorem 4.2, we know that F (x,y) is computationally indistinguishable from a uniform matrix U ∈ Rn1×n2 .Let x,y, r1, r2 ← Rn be four uniformly chosen vectors. Since statistical distance cannot be increased by applyinga (randomized) function, by Lemma 4.6 it follows that(

F (x, r), F (r′,y),u1, F (x, rtSB), F (SBr′,y),u2,u

t1SBu2

)s≈(F (x, r), F (r′,y),u1, F (x, rtSB), F (SBr

′,y),u2, u).

UsingR-module homomorphism of F we get(F (x, r), F (r′,y),u1, F (x, r)SB ,SBF (y, r′),u2,u

t1SBu2

)s≈ (F (x, r), F (r′,y),u1, F (x, r)SB ,SBF (y, r′),u2, u) .

By Theorem 4.2, we know that (F (x, r), F (r′,y))c≈ (R(1),R(2)) where R(1),R(2) ← Rn×n. By plugging in

the corresponding terms, it follows that

(R(1),R(2),ut1,R(1)SB ,SBR

(2),u2,ut1SBu2)

c≈ (R(1),R(2),ut1,R

(1)SB ,SBR(2),u2, u).


c≈ H1.


c≈ H1.

Proof of Theorem 4.3. The idea is similar to the proof ofH2c≈ H3 in the previous lemma. By Lemma 4.7, we know

that (R(1),R(2), stAR

(1),R(1)SB ,SBR(2),R(2)sC , s

tAR

(1)SBR(2)sC

)c≈(R(1),R(2), stAR

(1),R(1)SB ,SBR(2),R(2)sC , u

).

25

Let x← Rm be a uniform vector. Since F (stAR(1),x) and F (x, u) can be computed in polynomial time, it follows

that (R(1),R(2), F (x, stAR

(1)),R(1)SB ,SBR(2),R(2)sC , F (x, stAR

(1)SBR(2)sC)

)c≈(R(1),R(2), F (x, stAR

(1)),R(1)SB ,SBR(2),R(2)sC , F (x, u)

).

UsingR-module homomorphism of F we get(R(1),R(2), F (x, stA)R(1),R(1)SB ,SBR

(2),R(2)sC , F (x, stA)R(1)SBR(2)sC

)c≈(R(1),R(2), F (x, stA)R(1),R(1)SB ,SBR

(2),R(2)sC , F (x, u)).

By Theorem 4.2, we know that (F (stA,x), F (x, u))c≈ (SA,u

t) where SA ← Rn×n and u← Rn. By plugging in thecorresponding terms, it follows that(

R(1),R(2),SAR(1),R(1)SB ,SBR

(2),R(2)sC ,SAR(1)SBR

(2)sC

)c≈(R(1),R(2),SAR

(1),R(1)SB ,SBR(2),R(2)sC ,u

).

By a similar argument if y← Rn, we have(R(1),R(2),SAR

(1),R(1)SB ,SBR(2),R(2)F (sC ,y),SAR

(1)SBR(2)F (sC ,y)

)c≈(R(1),R(2),SAR

(1),R(1)SB ,SBR(2),R(2)F (sC ,y), F (u,y)

).

By Theorem 4.2, we know that (F (sC ,y), F (u,y))c≈ (SC ,U) where SA ← Rn×n and U← Rn×n. By plugging in

the corresponding terms, it follows that

(R(1),R(2),SAR(1),R(1)SB ,SBR


(2)SC)c≈ (R(1),R(2),SAR

(1),R(1)SB ,SBR(2),R(2)SC ,U),

and the proof is complete.

Generalizing to Any Number of Parties. Now we describe a (noninteractive) k-party key exchange protocol forany k. Similar to the three-party case, let S : X ×G→ R be a ring-embedded homomorphic synthesizer, and assumethat m and n be integers such that m > 3 log|G| and n > 6m2 log(|R|). Let R = Mm(R) denote m by m squarematrices matrices over R, and let R(1), . . . ,R(k−1) be k− 1 matrices that are uniformly chosen fromRn×n (publishedas public parameters). The protocol is described as follows:

• Party 1 chooses its randomness S1 ← Rn×n, and publishes P1 = S1R(1).

• Each party i (for 2 ≤ i ≤ k − 1) chooses its randomness Si ← Rn×n, and publishes (P(1)i ,P

(2)i ) where

P(1)i = R(i−1)Si , P

(2)i = SiR

(i).

• Party k chooses its randomness Sk ← Rn×n, and publishes Pk = R(k−1)Sk.

• The final shared secret is S = S1R(1)S2R

(2) · · ·Sk−1R(k−1)Sk. Parties can compute the final secret S as

S = S1P(1)2 P

(1)3 · · ·P

(1)k−1Pk (Party 1)

= P1P(2)2 · · ·P2

i−1SiP(1)i+1 · · ·P

(1)k−1Pk (Party i for 2 ≤ i ≤ k − 1)

= P1P(2)2 P

(2)3 · · ·P

(2)k−1Sk (Party k).

26

The security proof for the aforementioned protocol is similar to the proof of 4.3, and we sketch an argument here.Let the following matrices(

{Si}i∈[k], {R(i)}i∈[k−1],P1, {P(1)i ,P

(2)i }i∈[k−1],Pk, S

),

be defined as in the protocol. It is enough to show that({R(i)}i∈[k−1],P1, {P(1)

i ,P(2)i }i∈[2,k−1],Pk, S

)c≈({R(i)}i∈[k−1],P1, {P(1)

i ,P(2)i }i∈[2,k−1],Pk,U

)where U← Rn×n is a uniform matrix. The security proof is similar to the three party case, and we sketch anargument here. First, observe that similar to the three-party case, it is sufficient to prove the following “inefficient”version of the protocol(

{R(i)}i∈[k−1],P1, {P(1)i ,P

(2)i }i∈[2,k−1],R

(k−1)sk,S1R(1) · · ·Sk−1R(k−1)sk

)c≈({R(i)}i∈[k−1],P1, {P(1)

i ,P(2)i }i∈[2,k−1],R

(k−1)sk,u),

where kth party used a vector (instead of a matrix) as its secret. To prove the latter, first we replace R(k−1)skwith a uniform vector u′. We then replace R(k−1) with F (r,x) where r,x are uniform vectors in Rn. ByTheorem 4.2, we need to prove that(

{R(i)}i∈[k−2], F (r,x),P1, {P(1)i ,P

(2)i }i∈[2,k−1],u

′,S1R(1) · · ·Sk−1u′

)c≈({R(i)}i∈[k−2], F (r,x),P1, {P(1)

i ,P(2)i }i∈[2,k−1],u

′,u),

and hence it is enough to show that({R(i)}i∈[1,k−2], r,P1, {P(1)

i ,P(2)i }i∈[,k−2],R

(k−2)Sk−1,Sk−1r,u′,S1R

(1) · · ·R(k−2)Sk−1u′)

c≈({R(i)}i∈[1,k−2], r,P1, {P(1)

i ,P(2)i }i∈[,k−2],R

(k−2)Sk−1,Sk−1r,u′,u).

Observe that if Sk−1r was not present in the tuples above, then the computational indistinguishability of twotuples would follow from security of (k−1)-party key exchange protocol. To get around this problem, we replaceR(k−2) with F (r′,y) where r′ and y are sampled uniformly and independently fromRn. We also replace Sk−1with Sk−1 + M where M ∈ Rn×n is a matrix whose columns uniformly and independently sampled fromRKer(y). By Lemma 4.4, the term (Sk−1 + M)r will be uniform and independent of other components of thetuple. On the other hand, Sk−1 and Sk−1 + M are statistically indistinguishable. It follows that(

{R(i)}i∈[1,k−2], r,P1, {P(1)i ,P

(2)i }i∈[,k−2],R

(k−2)Sk−1, u,u′,S1R

(1) · · ·R(k−2)Sk−1u′)

c≈({R(i)}i∈[1,k−2], r,P1, {P(1)

i ,P(2)i }i∈[,k−2],R

(k−2)Sk−1, u,u′,u),

where u is uniform and independent of any other randomness. It is easy to see that the tuples above arecomputationally indistinguishable based on the security of (k − 1)-party key exchange protocol. The rest of theproof is almost identical to 3-party case, and hence we omit the details.

Remark 4.8. We remark that in the constructions and proofs above, we never used the fact that the output ring Rof the ring-embedded homomorphic synthesizer is commutative. The reader may note that for any nontrivial ringR, the matrix ring Mn(R) for any n > 2 is noncommutative. Therefore, all the constructions inherently rely onnoncommutative matrix rings, and hence some of the known algorithms to solve a system of linear equationsover certain commutative rings are not applicable here.

27

5 Input-Activated Indistinguishability Obfuscator

In this section, we show how to construct an indistinguishability obfuscator for NC1 from any ring-embeddedhomomorphic synthesizer. Given a ring-embedded homomorphic synthesizer S : X ×G→ R, we fix appropriatelylarge parameter m. Let I and 0 denote the identity matrix and all-zero matrix of dimension m×m over the ring R,respectively.

5.1 Core iO Construction

Permutation Branching Programs. Throughout this section, we assume that any NC1 program is represented asan oblivious permutation branching program P of width 5. Let P = {M`,0,M`,1}`∈[L], where L denotes the depthof P and each M`,b ∈ {0, 1}5×5 is a permutation matrix. Also, let x1, . . . , xN denote the input variables, and letφ : [L] → [N ] be a mapping such that for each ` ∈ [L], i = φ(`) indicates which variable xi controls the `th levelbranch.

Killian-Style Randomization. We uniformly randomly sample additional permutation matrices Z1, . . . , ZL−1 ∈{0, 1}5×5, and define a new set of matrices {N`,b}`∈[L],b∈{0,1}, where

N`,b = Z−1`−1M`,bZ`,

where Z0 and ZL are both set to be the identity permutation. Note that the set of all permutation matrices over {0, 1}5×5form a group, which has the following implications:

• Each permutation matrix Z` is efficiently invertible.

• Each resulting matrix N`,b is also a permutation matrix.

• The aforementioned randomization technique information-theoretically hides the original set of permutationmatrices, while retaining the program behavior as is.

Ring-Embedding Permutation Matrices. Throughout this section, we will use the following strategy to embed apermutation matrix into the output ringR of the homomorphic synthesizer S. Given a permutation matrixN`,b ∈ {0, 1}5,its ring-embedding N`,b is defined as a 5m× 5m matrix over the ring R of the form:

N`,b =

N`,b,1,1 . . . N`,b,1,5

.... . .

...N`,b,5,1 . . . N`,b,5,5

,where for each w, v ∈ [5], N`,b,w,v ∈ Rm×m is as defined below:

N`,b,w,v =

{0 if N`,b[w, v] = 0,

uniformly random otherwise.

Note that by Theorem 4.2, the set of such ring-embedded permutation matrices is closed over the ring R.

Generating Guard Matrices. We generate a sequence of “guard” matrix-pairs {(L`,R`)}`∈[L] (over the ring Runderlying the homomorphic synthesizer) such that the following conditions hold:

• For each ` ∈ [L], the “left guard” L` is of dimension c1cm × c2m and the “right guard” R` is of dimensionc2m × c1m where c1, c2 are constants such that c1 >> c2. Intuitively, each left guard will be very “tall andskinny” matrix, while each right guard is a “short and fat matrix”.

28

• For each ` ∈ [L− 1], we haveR`L`+1 = D` ∈ Rc2m×c2m,

where D` is a “block-diagonal” matrix of the form

D` =

D`,1

D`,2 0R

D`,3

. . .

0R. . .

D`,c2m

,

where for each j ∈ [c2m], D`,j is a square matrix of dimension m×m over the ring R. More formally, supposethat for some ` ∈ [L− 1], the guard matrices R` and L`+1 have the following structure:

R` =

−− −− R`,1 −− −−...

−− −− R`,c2m −− −−

, L`+1 =

| || |

L`+1,1 · · · L`+1,c2m

| || |

.

Then for each j, j′ ∈ [c2m], we have

R`,jL`,j′ =

{D`,j if j = j′,

0 if j 6= j′.

We now show that such a sequence of matrix-pairs can be created efficiently. For each ` ∈ [L− 1] and parameter mas described above, do the following:

1. Sample uniform matrices A` ← Rc2m×(c1/2−c2)m and B` ← Rc2m×(c1/2−c2)m, and set

Y` =[A` J

], Z` =

B`

J−1 (D−A`B`)

,where D` is a uniformly sampled “block-diagonal” matrix Rc2m×c2m as described above, and J is an uppertriangular matrix in Rc2m×c2m with an efficiently computable inverse. More specifically, we have:

J =

1R 1R 1R . . . 1R1R 1R . . . 1R

. . . . . ....

0R. . . 1R

1R

, J−1 =

1R (−1)R 0R 0R . . . 0R1R (−1)R 0R . . . 0R

. . . . . . . . ....

. . . . . . 0R

0R. . . (−1)R

1R

,

where (−1)R denotes the additive inverse of 1R over the ring R and 0R denotes an all-zero sub-matrix ofappropriate dimensions.

29

2. Sample a uniform square matrix X` ← R(c1/2)m×(c1/2)m and a uniform matrix U` ← Rc2m×(c1/2)m, and setR` and L`+1 as:

R` =[U` U`X` + Y`

], L`+1 =

−X`Z`

Z`

It easy to see that for each ` ∈ [L− 1], we have

R`L`+1 = −U`X`Z` + (U`X` + Y`)Z` = Y`Z` = A`B` + DD−1 (D−A`B`) = D.

Note that we do not explicitly generate the “end-guard” matrices L1 and RL. For the moment, we assume that theseguard matrices are set to the identity matrix I over Rm×m.

A Simple iO construction. We are now ready to describe a simple version of our iO construction. Given an obliviousbranching program of depth L, the obfuscation algorithm does the following :

1. Step-1: Construct a sequence of ring-embedded permutation matrices of the form {N`,b}`∈[L],b∈{0,1} as de-scribed above.

2. Step-2: Generate a sequence of “guard” matrix-pairs {(L`,R`)}`∈[L] satisfying the constraints as describedabove, for constants c2 = 5 and c1 >> 5.

3. Step-3: Generate a a sequence of 2L “guarded” program matrix encodings {N`,b}`∈[L],b∈{0,1}, where

N`,b = L`N`,bR`.

Evaluation and Zero-testing. To efficiently evaluate the program on an input x = (x1, . . . , xN ), one can computethe following “subset-product” of the “guarded” program matrix encodings:

Q =

L∏`=1

N`,xφ(`) .

It is easy to see that the final product Q is matrix of dimension 5m× 5m. Suppose, Q is structured as follows:

Q =

Q1,1 . . . Q1,5

.... . .

...Q5,1 . . . Q5,5

,Also, letQ be the permutation matrix resulting from performing the same “subset-product” on the actual permutation

matrices in the clear, i.e., let

Q =

L∏`=1

M`,xφ(`) .

The zero test procedure crucially uses the following relation that holds with overwhelmingly large probabilitybetween each submatrix Qw,v and the permutation matrix Q for any (w, v) ∈ [5]× [5]:

Qw,v = 0 if and only if Q[w, v] = 0.

The zero test will then choose a single non-diagonal entry (i, j). Note that this entry is non-zero whenever thebranching program outputs 0, i.e., whenever the matrix product Q is not the identity permutation matrix. Hence, itsuffices for the zero test to check whether the corresponding submatrix Qi,j is zero or non-zero.

This construction gives us the desired functionality. However, it is not secure since it does not ensure consistency.

30

Enforcing Consistency. We now augment the aforementioned construction to enforce consistency. In other words,for a variable xi that is associated with multiple levels of the program, the check should enforce that the same value ofxi is used at all the associated levels. We handle this in our construction by making two main alterations to the previousconstruction:

1. We increase the number of matrix encodings used for the construction from 2L to 2L+ 2N . We refer to the firstset of 2L block diagonal matrices as “program-carrying matrices” and the next set of 2N block diagonal matricesas “enforcer matrices”, following the nomenclature introduced in [GLSW15].

2. In addition to the ring-embedded program matrices, we incorporate ”consistency sub-matrices” into both sets ofencodings.

We now describe in details how each of these steps are executed:

1. Generating Program-Carrying Matrices. Recall that in the previous construction, at each level ` ∈ [L] andfor each bit b ∈ {0, 1}, we had a ring-embedded permutation matrix N`,b of dimension 5m× 5m, structured asfollows:

N`,b =

N`,b,1,1 . . . N`,b,1,5

.... . .

...N`,b,5,1 . . . N`,b,5,5

,For each level ` ∈ [L] and for each bit b ∈ {0, 1}, we now construct a set of 5 ·5 block diagonal ‘program-carryingmatrices” {P`,b,w,v}w,v∈[5], each of dimension (2(L+N) + 1)m× (2(L+N) + 1)m, structured as:

P`,b,w,v =

N`,b,w,v

C(`,1),(b,0),(w,v)

C(`,1),(b,1),(w,v)

. . .C(`,L+N),(b,0),(w,v)

C(`,L+N),(b,1),(w,v)

,

where for each ` ∈ [L], each `′ ∈ [L+N ], each b, b′ ∈ {0, 1} and each matrix position (w, v) ∈ [5]× [5], wehave

C(`,`′),(b,b′),(w,v) =


.

2. Generating Enforcer Matrices. Next, for each variable index i ∈ [N ] and for each bit b ∈ {0, 1}, we constructan additional block diagonal ‘enforcer matrices” Ei,b of dimension (2(L + N) + 1)m × (2(L + N) + 1)m,structured as:

Ei,b =

Ti,b

C(i,1),(b,0)

C(i,1),(b,1)

. . .C(i,L+N),(b,0)

C(i,L+N),(b,1)

,

where for each i ∈ [N ], each `′ ∈ [L+N ], and each b, b′ ∈ {0, 1}, we have Ti,b ← Rm×m, and

C(`,`′),(b,b′) =

{0 if (i, b′) = (φ`, b),

uniform in Rm×m otherwise.,

where recall that φ : [L] → [N ] is a mapping such that for each ` ∈ [L], i = φ(`) indicates which variable xicontrols the `th level branch.

31

3. Guarding Program-Carrying And Enforcer Matrices. As before, we generate a sequence of “guard” matrix-pairs. Notice that we now need 2(L + N) guard matrices in order to cover both the program-carrying andenforcer matrices. More specifically, we generate a sequence of guard matrices {(L`,R`)}`∈[L+N ] satisfying theconstraints as described above, albeit for constants c2 = 2(L+N) + 1 and c1 >> 2(L+N) + 1.

Note that one difference from the simple iO construction presented earlier is in how we generate the “end-guard” matrices L1 and RL. In the simple construction, we assumed that these guard matrices were setto the identity matrix I over Rm×m. For this construction, we assume that L1 ∈ Rm×(2(L+N)+1)m andRL ∈ R(2(L+N)+1)m×m are structured as follows:

L1 =[I I . . . I

], RL =

II...I

.Finally, we create a sequence of (5 · 5 · 2L+ 2N) “guarded” program matrix encodings of the form

{P`,b,w,v}`∈[L+N ],b∈{0,1},w∈[5],v∈[5], {Ei,b}`∈[L+N ],b∈{0,1},

where for each level ` ∈ [L], each bit b ∈ {0, 1} and each matrix position (w, v) ∈ [5]× [5], we have

N`,b,w,v = L`P`,b,w,vR`,

and for each variable index i ∈ [N ] and for each bit b ∈ {0, 1}, we have

Ei,b = LL+iEi,bRL+i.


Q =

L∏`=1

P`,xφ(`) ,

where each P`,xφ(`) may be viewed as a 5× 5 super-matrix of the corresponding program-carrying matrices

{P`,xφ(`),w,v}w,v∈[5].

Suppose, Q is structured as follows:

Q =

Q1,1 . . . Q1,5

.... . .

...Q5,1 . . . Q5,5

,Also, letQ be the permutation matrix resulting from performing the same “subset-product” on the actual permutation

matrices in the clear, i.e., let

Q =

L∏`=1

M`,xφ(`) .

As in the simple construction, the zero test will choose a single non-diagonal (i, j) so that it is non-zero as an entryof the subset-product Q whenever the branching program outputs 0 (i.e. whenever the matrix product Q is not theidentity permutation matrix). It then performs an additional subset-product of the form

Q′ = Qi,j

N∏i=1

EL+i,xi .

Observe that Q′ is a matrix of dimension m×m. At this point, the zero test simply checks if Q′ = 0. If yes, it outputs1, else it outputs 0.

32




Thus the only potential contributions to the value of Q′ come from the diagonal slots corresponding to the ring-embedded permutation matrices. It is now easy to see that Q′ 6= 0 if and only if the plaintext matrix subset-product Qhas a non-zero entry in the position (i, j), indicating that the program P outputs 0 on input x.

5.2 Parallel iO ConstructionThe next challenge towards our eventual goal of building iaiO is to be able to evaluate multiple oblivious branchingprograms in parallel on the same set of inputs (where each program has the same size and the same level-to-inputmapping, but potentially differs in the contents of their matrices). For the parallel iO construction, we borrow fromideas presented in [GLSW15].

In [GLSW15], the authors present a strategy for executing multiple functionally equivalent programs in parallel byembedding the corresponding permutation matrices from different programs in different subgroups of a multilinear mapand “aggregating” them into a single group element. In this section, we present a construction strategy that ports theirideas into the setting of ring-homomorphic synthesizers.

At a high level, we create “aggregate” matrices, which are block-diagonal matrices that have ring-embeddedpermutation matrices from different programs in different diagonal “slots”. The evaluation process remains the same asin the core iO construction, namely, given an input, we compute the corresponding subset product of the aggregatematrices depending on the input.

Recall that each aggregate matrix places permutation matrices from different programs in different diagonal “slots”.This implies that any subset product of these aggregate matrices would be a block diagonal matrix, where each diagonal“slot” contains the subset product of permutation matrices from the corresponding program. In other words, evaluationresults in an “aggregate evaluation matrix”, where each diagonal slot contains the evaluation of the correspondingprogram on the same input.

Note that we ignore input-activations at the moment. In other words, we assume that every input activates everyprogram. It turns out that once we achieve an iO construction capable of evaluating multiple programs in parallel,incorporating input activations into it follows immediately via a few simple tweaks.

Generating Aggregate Matrices. Let P1, . . . , PT be the oblivious branching programs of depth L that are to behandled in parallel, where for each t ∈ [T ], we have

Pt = {Mt,`,0,Mt,`,1}`∈[L].

As before, we uniformly randomly sample additional permutation matrices Z1, . . . , ZL−1 ∈ {0, 1}5×5, and definea new set of matrices {Nt,`,b}t∈[T ],`∈[L],b∈{0,1}, where

Nt,`,b = Z−1`−1Mt,`,bZ`,

where Z0 and ZL are both set to be the identity permutation.Let the corresponding set of ring-embedded permutation matrices be denoted as {Nt,`,b}t∈[T ],`∈[L],b∈{0,1}, where

each Nt,`,b is structured as follows:

Nt,`,b =

Nt,`,b,1,1 . . . Nt,ell,b,1,5

.... . .

...Nt,`,b,5,1 . . . Nt,`,b,5,5

.33

For each program index t ∈ [T ], each level ` ∈ [L] and each bit b ∈ {0, 1}, we construct an “aggregate”block-diagonal matrix A`,b,w,v , structured as:

At,`,b =

N1,`,b,w,v

. . .NT,`,b,w,v

.Generating Program-Carrying Matrices. As in the core iO construction, for each level ` ∈ [L] and for each bitb ∈ {0, 1}, we now construct a set of 5 · 5 block diagonal ‘program-carrying matrices” {P′`,b,w,v}w,v∈[5], each ofdimension (2(L+N) + T )m× (2(L+N) + 1)m, structured as:

P′`,b,w,v =

A`,b,w,v

C(`,1),(b,0),(w,v)

C(`,1),(b,1),(w,v)

. . .C(`,L+N),(b,0),(w,v)

C(`,L+N),(b,1),(w,v)

,

where, as in the core iO construction, for each ` ∈ [L], each `′ ∈ [L+N ], each b, b′ ∈ {0, 1} and each matrix position(w, v) ∈ [5]× [5], we have

C(`,`′),(b,b′),(w,v) =


.

Note that the only change from the core iO construction is that we now place the “aggregate matrix” A`,b,w,v at the topleft corner of each program-carrying matrix as opposed to just a single ring-embedded permutation matrix. As a sanitycheck, observe that for the special case where the number of programs T = 1, a program-carrying matrix in the paralleliO construction becomes identical to that in the core iO construction.

Generating Enforcer Matrices. Next, for each variable index i ∈ [N ] and for each bit b ∈ {0, 1}, we construct anadditional “enforcer matrix” E′i,b of dimension (2(L+N) + T )m× (2(L+N) + T )m, structured as:

E′i,b =

Ti,b

C(i,1),(b,0)

C(i,1),(b,1)

. . .C(i,L+N),(b,0)

C(i,L+N),(b,1)

,

where, as in the core iO construction, for each i ∈ [N ], each `′ ∈ [L+N ], and each b, b′ ∈ {0, 1}, we have

C(`,`′),(b,b′) =

{0 if (i, b′) = (φ(`), b),


where recall that φ : [L]→ [N ] is a mapping such that for each ` ∈ [L], i = φ(`) indicates which variable xi controlsthe `th level branch.

The only change from the core iO construction is in how we generate the matrix Ti,b. Note that in the core iOconstruction, we have Ti,b sampled uniformly from Rm×m. In the parallel version of the construction, we insteadstructure Ti,b as a block diagonal matrix in RTm×Tm, as described below:

Ti,b =

T1,i,b

. . .TT,i,b

,34

where for each program index t ∈ [T ], the block matrix Tt,i,b is sampled uniformly from Rm×m. Once again, as asanity check, observe that for the special case where the number of programs T = 1, an enforcer matrix in the paralleliO construction becomes identical to that in the core iO construction.

Generating Guarded Encodings. As in the core iO construction, we generate a sequence of guard matrices{(L`,R`)}`∈[L+N ] satisfying the constraints as described above, albeit for constants c2 = 2(L+N) + T and c1 >>2(L+N)+T . In particular, we generate “end-guard” matrices L1 ∈ Rm×(2(L+N)+T )m and RL ∈ R(2(L+N)+T )m×m

are structured as follows:

L1 =[I I . . . I

], RL =

II...I

.Next, we create a sequence of (5 · 5 · 2L+ 2N) “guarded” program matrix encodings of the form

{P`,b,w,v}`∈[L+N ],b∈{0,1},w∈[5],v∈[5], {Ei,b}i∈[N ],b∈{0,1},

where for each level ` ∈ [L], each bit b ∈ {0, 1} and each matrix position (w, v) ∈ [5]× [5], we have

P`,b,w,v = L`P′`,b,w,vR`,

and for each variable index i ∈ [N ] and for each bit b ∈ {0, 1}, we have

Ei,b = LL+iE′i,bRL+i.


Q =

L∏`=1

P`,xφ(`) ,


{P`,xφ(`),w,v}w,v∈[5].


Q =

Q1,1 . . . Q1,5

.... . .

...Q5,1 . . . Q5,5

,Also, let Qt be the permutation matrix resulting from performing same “subset-product” on the actual permutation

matrices of program Pt in the clear, i.e., let

Qt =

L∏`=1

Mt,`,xφ(`) .

As in the simple construction, the zero test will choose a single non-diagonal (i, j) so that it is non-zero as an entryof the subset-product Q whenever the branching program outputs 0 (i.e. whenever the matrix product Q is not theidentity permutation matrix). It then performs an additional subset-product of the form

Q′ = Qi,j

N∏i=1

EL+i,xi .


35




Thus the only potential contributions to the value of Q′ come from the diagonal slots corresponding to the ring-embedded permutation matrices. It is now easy to see that Q′ 6= 0 if and only if the plaintext matrix subset-product Qtcorresponding to some program Pt has a non-zero entry in the position (i, j), indicating that this program Pt outputs 0on input x.

5.3 Incorporating Input-Activations: iaiO ConstructionThe previous iO construction may be viewed as an iaiO construction with the all-ones input activation matrix, i.e.,where every input activates every program. In order to achieve full-fledged iaiO, we need to incorporate arbitrary inputactivations into this construction. We do this by tweaking certain parts of the “enforcer matrices” in the previous iOconstruction. The tweaks are based on ideas presented in the [GLSW15] paper.

Recall that in the parallel iO construction, for each variable index i ∈ [N ] and for each bit b ∈ {0, 1}, we generateda block diagonal ‘enforcer matrix” E′i,b of dimension (2(L+N) + T )m× (2(L+N) + T )m, structured as:

E′i,b =

Ti,b

C(i,1),(b,0)

C(i,1),(b,1)

. . .C(i,L+N),(b,0)

C(i,L+N),(b,1)

,

where, we structured Ti,b as a block diagonal matrix in RTm×Tm, as described below:

Ti,b =

T1,i,b

. . .TT,i,b

,where for each program index t ∈ [T ], the block matrix Tt,i,b was sampled uniformly from Rm×m.

In the full-fledged iaiO construction, we generate these enforcer matrices in exactly the same way, except for themanner in which each Tt,i,b,w,v block matrix is generated. We generate each Tt,i,b block matrix depending on someadditional input activation information that the obfuscation algorithm takes as input.

More concretely, let G be the “activation matrix” of dimension N × T × 2, where each i ∈ [N ] is the “row”corresponding to the input bits, each t ∈ [T ] is the “column” corresponding to the program number, and b ∈ {0, 1} isthe bit corresponding to activation on the particular input bit value. Now, for each i ∈ [N ], t ∈ [T ] and b ∈ {0, 1}, wegenerate the matrix Tt,i,b as follows:

Tt,i,b =

{0 if G[i, t, b] = 0,

uniform in Rm×m otherwise..

36

Evaluation and Zero-testing. Evaluation and zero-testing for the iaiO construction is exactly the same as in theparallel iO construction. Nonetheless, we repeat it here for the sake of completeness.

To efficiently evaluate the program on an input x = (x1, . . . , xN ), one can compute the following “subset-product”of the “guarded” program matrix encodings:

Q =

L∏`=1

P`,xφ(`) ,


{P`,xφ(`),w,v}w,v∈[5].


Q =

Q1,1 . . . Q1,5

.... . .

...Q5,1 . . . Q5,5

,Also, let Qt be the permutation matrix resulting from performing same “subset-product” on the actual permutation

matrices of program Pt in the clear, i.e., let

Qt =

L∏`=1

Mt,`,xφ(`) .

As in the parallel iO construction, the zero test will choose a single non-diagonal (i, j) so that it is non-zero as anentry of the subset-product Q whenever the branching program outputs 0 (i.e. whenever the matrix product Q is not theidentity permutation matrix). It then performs an additional subset-product of the form

Q′ = Qi,j

N∏i=1

EL+i,xi .





Thus the only potential contributions to the value of Q′ come from the diagonal slots corresponding to thering-embedded permutation matrices.

Additionally, observe the following:

1. Suppose some program Pt is not activated by the input x. Then, the input-activation matrix G has a 0 in the slotcorresponding to xi on some row i ∈ [N ] and in column t. Then one of the included enforcing matrices willprevent the program Pt from contributing to the final output.

2. Suppose instead that the program Pt is activated by the input x. Then, the input-activation matrix G has a 1in the slot corresponding to xi on some row i ∈ [N ] and in column t. Hence, none of the included enforcingmatrices will prevent the program Pt from contributing to the final output.

It is now easy to see that Q′ 6= 0 if and only if the plaintext matrix subset-product Qt corresponding to someactivated program Pt has a non-zero entry in the position (i, j), indicating that this program Pt outputs 0 on input x.

37

6 The Subspace Hiding Assumption

In this section we define our subspace hiding assumption. It can be viewed as analogous to the assumptionof [GLSW15] in spirit, although it is syntactically very different. Before formally describing the assumption, weintroduce certain notations used in describing the assumptions.

Diagonal Matrices. Consider a class of block diagonal matrices D ∈ R(n`)×(n`). We break down D into an ` by `blockwise structure: in other words, we assume the D is composed of `2 square blocks of size n× n, which we denoteDi,j , and we assume that Di,j = 0 if i 6= j. We generally drop the double subscript and represent the diagonal entriesby Di. Graphically, this looks like

D =

D1

D2 0R

D3

. . .

0R. . .

D`

,

We introduce some more notation around diagonal matrices which will allow us to simplify our presentation in thissection:

1. Di ∈ R(n`)×(n`) denotes a block diagonal matrix with the restriction that the ith diagonal block is zero.

2. Di,j ∈ R(n`)×(n`) denote a block diagonal matrix with the restriction that the ith and jth diagonal blocks arezero.

3. Di ∈ R(n`)×(n`) denotes a block diagonal matrix with the restriction that all diagonal blocks except the ith

diagonal block are zero.

4. Di,j ∈ R(n`)×(n`) denotes a block diagonal matrix with the restriction that all diagonal blocks except the ith andjth diagonal blocks are zero.

We will sometimes need to compress such diagonal matrices into rows and columns. We let I` denote the matrixconsisting of a tensor of the identity matrix in n dimensions with the `-dimensional all 1Rs vector. Correspondingly, welet (I`)T be the transpose of I`. We use these matrices to extract the non-zero block diagonals of our diagonal matricesinto rows and columns, respectively.

The Guard Matrices. Let n, m and ` be integers such that n` << m. We use a set of matrices Li ∈ Rm×(n`) fori ∈ [2, z], and Ri ∈ R(n`)×m for i ∈ [1, z − 1]. In addition, we consider submatrices of Li and Ri, respectively.Let Li,j ∈ Rm×n be the submatrix of Li consisting of the (j − 1)n + 1th through the jnth columns of Li, and letRi,j ∈ Rn×m be the submatrix of Ri consisting of the (j − 1)n+ 1th through the jnth rows of Ri, and let Ri,j . Inother words, our matrices have the following structure:

Ri =

−− −− Ri,1 −− −−−− −− Ri,2 −− −−

...−− −− Ri,`−1 −− −−−− −− Ri,` −− −−

, Li =

| | | || | | |

Li,1 Li,2 · · · Li,`−1 L1,`

| | | || | | |

38

Experiment ExptSubspace-HidingR,`,z,b :

1. The adversary A chooses two challenge-slots i∗0, i∗1 ∈ [`] and a challenge-index j∗ ∈ [z]. It provides

(i∗0, i∗1, j∗) to the challenger.

2. The challenger provides the adversary with the following:

(a) Generators: For each j ∈ [z] and each i ∈ [`] \ {i∗1}: many samples of the form LjDiRj , where Di

is a randomly sampled matrix of the appropriate form as described above, except for when j = 1 andj = z, where the samples are of the form I`DiR1 and LzDi(I`)T , respectively.

(b) Challenge-Relevant Elements: For each j ∈ [z]: many samples of the form LjDi∗0 ,i∗1Rj , where

Di∗0 ,i∗1 is a randomly sampled matrix of the appropriate form, except for when j = 1 and j = z, where

the samples are of the form I`Di∗0 ,i∗1R1 and LzDi∗0 ,i

∗1 (I`)T , respectively.

(c) Special Challenge-Index Elements: Many samples of the form Lj∗Di∗1Rj∗ , where Di∗1 is arandomly sampled matrix of the appropriate form, except for when j∗ = 1 or j∗ = z, where thesamples are of the form I`Di∗1R1 or LzDi∗1 (I`)T , respectively.

(d) The Challenge Element: A sample that is of one of the two following forms:

• Lj∗Di∗0Rj∗ if b = 0, or

• Lj∗Di∗0 ,i∗1Rj∗ if b = 1,

where Di∗0 and Di∗0 ,i∗1 are randomly sampled matrices of the appropriate form, except for when j∗ = 1,

where the sample is of one of the two following forms:

• I`Di∗0R1 if b = 0, or

• I`Di∗0 ,i∗1R1 if b = 1,

or when j∗ = z, where the sample is of one of the two following forms:

• LzDi∗0 (I`)T if b = 0, or

• LzDi∗0 ,i∗1 (I`)T if b = 1.

Figure 2: The Subspace Hiding Assumption

39

Intuitively, Ri will be very “short and fat,” and Li will be very “tall and skinny.”We additionally require the following properties of the Li and Ri matrices: for every j 6= j′, it must be the case that

Ri,j · Li+1,j′ = 0R

In other words, note that the product Ri,j ·Li+1 is required to have the form of a block diagonal matrix D as we definedabove.

The Subspace Hiding Assumptions. Equipped with the aforementioned notations, we now state the subspace hidingassumption. For any ring R, any choice of parameters `, z and each b ∈ {0, 1}, let ExptSubspace-Hiding

R,`,z,b denote anexperiment between a challenger and an adversary A as defined in Figure 2.

Definition 6.1. (Subspace Hiding Assumption.) The subspace hiding assumption is said to hold over a ring R if for anysecurity parameter λ, any choice of parameters `, z = poly(λ) and for any PPT adversary A, the views of the adversaryA in the experiments ExptSubspace-Hiding

R,`,z,0 and ExptSubspace-HidingR,`,z,1 are computationally indistinguishable.

We also define a special case of this assumption, called the “baby” subspace hiding assumption, for a fixed choiceof parameter ` = 2.

Definition 6.2. (Baby Subspace Hiding Assumption.) The “baby” subspace hiding assumption is said to hold over aring R if for any security parameter λ, any choice of parameter z = poly(λ) and for any PPT adversary A, the views ofthe adversary A in the experiments ExptSubspace-Hiding

R,2,z,0 and ExptSubspace-HidingR,2,z,1 are computationally indistinguishable.

The next sections are organized as follows:

• In Section 7 we prove the security of our iaiO construction based on the subspace hiding assumption as inDefinition 6.1.

• In Section 8, we extend the above result to the the subspace hiding assumption as in Definition 6.1.

• Finally, in Section 9, we prove that the baby subspace hiding assumption as in Definition 6.2 holds over any ringR that is the output ring of a ring-embedded homomorphic synthesizer.

Putting these together, we show that the existence of ring-embedded homomorphic synthesizer implies the existenceof a secure iaiO scheme.

7 Proof of Security for Our iaiO ConstructionIn this section, we prove (a) inter-column security, (b) single-input program switching security, (c) completely inactiveprogram security, and (d) intra-column security of our iaiO construction, all based on the subspace hiding assumptionas in Definition 6.1. Refer Section 3 for the formal definitions of these security notions for any iaiO scheme.

7.1 Inter-Column SecurityLemma 7.1. Assuming that the subspace hiding assumption holds, our iaiO construction achieves inter-columnsecurity.

Proof. Suppose that there exists some PPT attacker A which achieves non-negligible advantage in the inter-columnsecurity game for some valid setting of activation matrix G, challenge program indices t∗0, t

∗1 ∈ [T ], challenge variable

index i∗ ∈ [N ] and challenge bit b∗ ∈ {0, 1}. We will create a PPT algorithm B that achieves a non-negligibleadvantage in breaking the subspace hiding assumption (parameterized in this case by the challenge-index j∗ = (L+ i∗)and the challenge-slots (i∗0, i

∗1) = (t∗0, t

∗1)).

40

Inputs to B. As described in Section 6,B receives as input several terms of the following kinds:

• Generators: For each ` ∈ [L+N ] and each j ∈ [2(L+N) + T ] \ {t∗1}: many samples of the form L`DjR`,where Dj is a randomly sampled matrix of the appropriate form, and the “end guards” L1 and RL+N arespecially structured, as described in Section 5.2.

• Challenge-Relevant Elements: For each ` ∈ [L+N ]: many samples of the form L`Dt∗0 ,t∗1R`, where Dt∗0 ,t

∗1 is

a randomly sampled matrix of the appropriate form, and the “end guards” L1 and RL+N are specially structuredas mentioned before.

• Special Challenge-Index Elements: Many samples of the form L(L+i∗)Dt∗1R(L+i∗), where Dt∗1 is a randomly

sampled matrix of the appropriate form.

• Challenge Elements: A sample that is either of the form L(L+i∗)Dt∗0R(L+i∗) or of the form L(L+i∗)D

t∗0 ,t∗1R(L+i∗),

where Dt∗0 ,t∗1 and Dt∗0 are randomly sampled matrices of the appropriate form.

We structure the rest of the proof as follows. For clarity of exposition, we first state what the challenger in the realinter-column security game should generate should generate. We then state how the algorithm B simulates the same ina manner that is either computationally or statistically indistinguishable from the real game.

Real World: Aggregate Matrices. Let P1, . . . , PT be the oblivious branching programs of depth L that are to behandled in parallel, where for each t ∈ [T ], we have

Pt = {Mt,`,0,Mt,`,1}`∈[L].

The challenger in the real inter-column security game uniformly randomly samples additional permutation matricesZ1, . . . , ZL−1 ∈ {0, 1}5×5, and defines a new set of matrices {Nt,`,b}t∈[T ],`∈[L],b∈{0,1}, where

Nt,`,b = Z−1`−1Mt,`,bZ`,

where Z0 and ZL are both set to be the identity permutation.Let the corresponding set of ring-embedded permutation matrices be denoted as {Nt,`,b}t∈[T ],`∈[L],b∈{0,1}, where

each Nt,`,b is structured as follows:

Nt,`,b =

Nt,`,b,1,1 . . . Nt,`,b,1,5

.... . .

...Nt,`,b,5,1 . . . Nt,`,b,5,5

.For each program index t ∈ [T ], each level ` ∈ [L] and each bit b ∈ {0, 1}, the challenger in the real inter-column

security game generates an “aggregate” block-diagonal matrix At∗0 ,t∗1

`,b,w,v , structured as:

At∗0 ,t∗1

t,`,b =

N1,`,b,w,v

. . .NT,`,b,w,v

.

41

Real World: Program-Carrying Matrices. Based on the above, for each level ` ∈ [L] and for each bit b ∈ {0, 1},the challenger in the real inter-column security game generates a set of 5 · 5 block diagonal ‘program-carrying matrices”{Pt

∗0 ,t∗1

`,b,w,v}w,v∈[5], each of dimension (2(L+N) + T )m× (2(L+N) + 1)m, structured as:

Pt∗0 ,t∗1

`,b,w,v =

At∗0 ,t∗1

`,b,w,v

C(`,1),(b,0),(w,v)

C(`,1),(b,1),(w,v)

. . .C(`,L+N),(b,0),(w,v)

C(`,L+N),(b,1),(w,v)

,

where, for each ` ∈ [L], each `′ ∈ [L+N ], each b, b′ ∈ {0, 1} and each matrix position (w, v) ∈ [5]× [5], we have

C(`,`′),(b,b′),(w,v) =


.

Simulation: Program-Carrying Matrices. We now focus on howB simulates the “guarded” versions of the program-carrying matrices using its own input elements. Note that for simulating the consistency check block submatrices, Bsimply uses the generator elements that is receives as part if its input. When generating a random “guarded” blocksubmatrix in a given diagonal slot, it subset-sums sufficiently many instances of the corresponding generator matrices,which results in the desired distribution by the leftover hash lemma. A zero “guarded” block submatrix in a givendiagonal slot, on the other hand, conceptually corresponds to subset-summing the appropriate generator elements withan “all-zero” bit string, or equivalently, not summing any of these elements.

For simulating the block submatrices corresponding to the “aggregate matrix”, the natural stragey for B to adopt isto appropriately subset-sum the generator elements of the form L`DtR` that is receives as part if its input. Note thatthis strategy would work for all program indices other than the challenge program index t∗1, since B does not receiveany generator elements of the form L`Dt∗1R` for any ` ∈ [L].

However, in this case, B leverages the fact that for the challenge program indices t∗0, t∗1 in the inter-column security

game, the corresponding programs Pt∗0 and Pt∗1 must have identical sets of permutation matrices at each level, andhence identical sets of Killian-style randomized permutation matrices at each level. In other words, for Pt∗0 and Pt∗1 ,B can use the same ring-embedded permutation matrix representations, which allows it to use the challenge-relevant

elements of the form L`Dt∗0 ,t∗1R`.

To summarize, B uses the following strategy at each level ` ∈ [L] for simulating the block submatrices correspondingto the “aggregate matrix”:

1. For simulating the block submatrices corresponding to any program index t ∈ [N ] \ {t∗0, t∗1}, B appropriatelysubset-sums the generator elements of the form L`DtR` that it receives as input.

2. For simulating the block submatrices corresponding to the program indices t∗0, t∗1, B appropriately subset-sums

the challenge-relevant elements of the form L`Dt∗0 ,t∗1R` that it receives as input.

It is easy to see that by the leftover hash lemma, B’s simulation is statistically indistinguishable from the realinter-column security game.

Real World: Enforcer Matrices. For each variable index i ∈ [N ] and for each bit b ∈ {0, 1}, the challenger in thereal inter-column security game generates an additional “enforcer matrix” E

t∗0 ,t∗1

i,b of dimension (2(L+N) + T )m×

42

(2(L+N) + T )m, structured as:

Et∗0 ,t∗1

i,b =

Ti,b

C(i,1),(b,0)

C(i,1),(b,1)

. . .C(i,L+N),(b,0)

C(i,L+N),(b,1)

,

where for each i ∈ [N ], each `′ ∈ [L+N ], and each b, b′ ∈ {0, 1}, we have

C(`,`′),(b,b′) =

{0 if (i, b′) = (φ`, b),


where recall that φ : [L]→ [N ] is a mapping such that for each ` ∈ [L], i = φ(`) indicates which variable xi controlsthe `th level branch.

Simulation: Enforcer Matrices. We now focus on how B simulates the “guarded” versions of these enforcer matricesusing its own input elements. In the simulation, B structures the “activation-enforcer” matrix Ti,b as a block diagonalmatrix in RTm×Tm, as described below:

Ti,b =

T1,i,b

. . .TT,i,b

,where for each program index t ∈ [T ] \ {t∗0, t∗1}, the block matrix Tt,i,b is simulated so as to satisfy the followingdistribution:

Tt,i,b =

{0 if G[i, t, b] = 0,

uniform in Rm×m otherwise..

We begin by noting that by appropriately subset-summing over the generator elements received as input, B can simulate“guarded” versions of all consistency sub-matrices and all block submatrices in the “activation-enforcer” matrix Ti,b,except for the block submatrices corresponding to the diagonal slot t∗1. The reason B cannot simulate this submatrix isthat by definition of the subspace hiding assumption, it is not provided with the generator elements corresponding to thediagonal slot t∗1.

Hence, the crux of the reduction lies in how B simulates “guarded” versions of the block sub-matrices Tt∗0 ,i,b

and Tt∗1 ,i,bfor different values of (i, b). This simulation is broken into several sub-cases depending on the values of

(i, b) ∈ [N ]× {0, 1}, as described below:

1. Case-1: i 6= i∗ and G[i, t∗0, b] = G[i, t∗1, b] = 0:

In this case, B simulates Tt∗0 ,i,band Tt∗1 ,i,b

as zero matrices in Rm×m.

2. Case-2: i 6= i∗, G[i, t∗0, b] = 1, G[i, t∗1, b] = 0:

In this case, B simulates Tt∗0 ,i,bas a uniformly distributed matrix in Rm×m and Tt∗1 ,i,b

as the zero matrix in

Rm×m. To do this, it additionally subset-sums over generator matrices of the form LL+iDt∗0RL+i, which it isprovided with as input.

43

3. Case-3: i 6= i∗, G[i, t∗0, b] = G[i, t∗1, b] = 1:

In this case, B simulates both Tt∗0 ,i,band Tt∗1 ,i,b

as uniformly distributed matrices in Rm×m. To do this, it

additionally subset-sums over the challenge-relevant matrices of the form LL+iDt∗0 ,t∗1RL+i, which it is provided

with as input.

4. Case-4: (i, b) = (i∗, 1− b∗), G[i, t∗0, b] = G[i, t∗1, b] = 0:


as the zero matrix in Rm×m.

5. Case-5: (i, b) = (i∗, 1− b∗), G[i, t∗0, b] = 1, G[i, t∗1, b] = 0:

In this case, B simulates Tt∗0 ,i,bas a uniformly distributed matrix in Rm×m and Tt∗1 ,i,b

as the zero matrix in

Rm×m. To do this, it additionally subset-sums over generator matrices of the form Li∗+NDt∗0Ri∗+N , which itis provided with as input.

6. Case-6: (i, b) = (i∗, 1− b∗), G[i, t∗0, b] = 0, G[i, t∗1, b] = 1:

In this case, B simulates Tt∗0 ,i,bas the zero matrix in Rm×m and Tt∗1 ,i,b

as a uniformly distributed matrixin Rm×m. To do this, it additionally subset-sums over the special challenge-index matrices of the formLi∗+NDt∗1Ri∗+N , which it is provided with as input.

7. Case-7: (i, b) = (i∗, 1− b∗), G[i, t∗0, b] = G[i, t∗1, b] = 1:


as uniformly distributed matrices in Rm×m. To do this, it

additionally subset-sums over generator matrices of the form Li∗+NDt∗0Ri∗+N as well as the special challenge-index matrices of the form Li∗+NDt∗1Ri∗+N , all of which it is provided with as input.

8. Case-8: (i, b) = (i∗, b∗):

In this case, we must have G[i∗, t∗0, b∗] = 1. In this case, B uses the challenge term provided to it as input.

Putting Everything Together. Finally, observe the following:

1. If the challenge sample is of the form L(L+i∗)Dt∗0R(L+i∗), then Case-3 would correspond to the case where

G[i∗, t∗1, b∗] = 0.

2. If the challenge sample is of the form L(L+i∗)Dt∗0 ,t∗1R(L+i∗), then Case-3 would correspond to the case where

G[i∗, t∗1, b∗] = 1.

Thus B can leverage A′s non-negligible advantage in the inter-column security game to achieve a non-negligibleadvantage in breaking the subspace hiding assumption. This completes the proof of inter-column security.

44

7.2 Single-Input Program Switching SecurityLemma 7.2. Assuming that the subspace hiding assumption holds, our iaiO construction achieves single-input programswitching security.

Proof. We will prove this via a hybrid argument that incrementally “erases” the branching program matrices notcorresponding to the single relevant input (referred to as x∗ = (x∗1, . . . , x

∗N )) in the relevant slots using the subspace

hiding assumption. Once we have done this, we can argue information-theoretically to switch the programs and thenreverse the hybrid to insert the new matrices.

We define the following hybrid experiments:

1. Exp0 will denote the original program switching security game with the challenge bit set to 0 (here the originalchallenge program Pt∗ is used in the t∗th slot of each “program-carrying” matrix.

2. For each ` ∈ [L], we define Exp` to be identical to Exp0, except for the first ` positions of each branching program,where the corresponding program-carrying submatrices corresponding to Pt∗ for the bit values disagreeing withthe single relevant input x∗ = (x∗1, . . . , x

∗N ) are set to the all-zero matrix in Rm×m.

Note that in ExpL, any pair of “program-carrying” matrices at a given level has exactly one non-zero ring-embeddedpermutation matrix in each slot.

We first argue that for each ` ∈ [L], Exp` is indistinguishable from Exp`−1, under the subspace hiding assumption.To see this, suppose there is some `∗ ∈ [L] such that some PPT attacker A distinguishes Exp`∗ from Exp`∗−1 withnon-negligible advantage for some valid setting of activation matrix G, challenge program index t∗ ∈ [T ], singlerelevant input x∗ = (x∗1, . . . , x

∗N ), and challenge bit b∗ ∈ {0, 1}. We use A to build a PPT algorithm B that breaks

the subspace hiding assumption (parameterized in this case by the challenge-index j∗ = `∗ and the challenge-slots(i∗0, i

∗1) = (t∗, T + 2`∗ + b∗)) with non-negligible advantage.

Inputs to B. As described in Section 6,B receives as input several terms of the following kinds:

• Generators: For each ` ∈ [L+N ] and each j ∈ [2(L+N) + T ] \ {t∗}: many samples of the form L`DjR`,where Dj is a randomly sampled matrix of the appropriate form, and the “end guards” L1 and RL+N arespecially structured, as described in Section 5.2.

• Challenge-Relevant Elements: For each ` ∈ [L+N ]: many samples of the form L`˜Dt∗,(T+2`∗+b∗)R`, where

˜Dt∗,(T+2`∗+b∗) is a randomly sampled matrix of the appropriate form, and the “end guards” L1 and RL+N arespecially structured as mentioned before.

• Special Challenge-Index Elements: Many samples of the form L`∗Dt∗R`∗ , where Dt∗ is a randomly sampledmatrix of the appropriate form.

• Challenge Elements: A sample that is either of the form L`∗Dt∗R`∗ or of the form L`∗˜Dt∗,(T+2`∗+b∗)R`∗ ,

where ˜Dt∗,(T+2`∗+b∗) and Dt∗ are randomly sampled matrices of the appropriate form.

Real World: Program-Carrying Matrices. For each level ` ∈ [L] and for each bit b ∈ {0, 1}, the challengerin the real program switching security game generates a set of 5 · 5 block diagonal ‘program-carrying matrices”

45

{P`,b,w,v}w,v∈[5], each of dimension (2(L+N) + T )m× (2(L+N) + 1)m, structured as:

P`,b,w,v =

A`,b,w,v

C(`,1),(b,0),(w,v)

C(`,1),(b,1),(w,v)

. . .C(`,L+N),(b,0),(w,v)

C(`,L+N),(b,1),(w,v)

,

where for each ` ∈ [L], each `′ ∈ [L+N ], each b, b′ ∈ {0, 1} and each matrix position (w, v) ∈ [5]× [5], we have

C(`,`′),(b,b′),(w,v) =


.

Simulation: Program-Carrying Matrices. In this simulation, for each program index t ∈ [T ], each level ` ∈ [L]and each bit b ∈ {0, 1}, B simulates an “aggregate” block-diagonal matrix A`,b,w,v , structured as:

At,`,b =

N1,`,b,w,v

. . .NT,`,b,w,v

.except for the block submatrix corresponding to the diagonal slot t∗. We explain later how the block submatricescorresponding to the diagonal slot t∗ are handled.

We now describe how B “actually” simulates “guarded” versions of the aforementioned program-carrying matricesusing its own input elements. We begin by noting that by appropriately subset-summing over the generator elementsreceived as input, B can simulate “guarded” versions of all consistency sub-matrices and all block submatrices in the“aggregate” block-diagonal matrix, except for the block submatrix corresponding to the diagonal slot t∗. The reasonB cannot simulate this submatrix is that by definition of the subspace hiding assumption, it is not provided with thegenerator elements corresponding to the diagonal slot t∗.

Hence, the crux of the reduction lies in how B simulates the block matrix Nt∗,`,b,w,v for different values of(`, b). This simulation is broken into several sub-cases depending on the values of (`, b) ∈ [L]× {0, 1}, as describedbelow (recall that φ : [L]→ [N ] is a mapping such that for each ` ∈ [L], i = φ(`) indicates which variable xi controlsthe `th level branch.):

1. Case-1: ` 6= `∗ and b = x∗φ(`):

In this case, B should set Nt∗,`,b,w,v to either zero or uniformly random as per the original program and theconsistency check matrix C`,1−b,(w,v) to the zero matrix in Rm×m. In particular the consistency check matrixC`∗,b∗,(w,v) is uniformly random. Hence, to simulate this, B can appropriately subset-sum over the following

input elements: (a) the challenge-relevant elements L` ˜Dt∗,(T+2`∗+b∗)R`, and (b) all other generator elements,

including the generator element L` ˜DT+2`∗+b∗R`.

2. Case-2: ` > `∗ and b = 1− x∗φ(`):

Note that even in this case, B should set Nt∗,`,b,w,v to either zero or uniformly random as per the originalprogram and the consistency check matrix C`,1−b,(w,v) to the zero matrix in Rm×m. In particular the consistencycheck matrix C`∗,b∗,(w,v) is uniformly random. Hence, to simulate this, B can appropriately subset-sum over the

following input elements: (a) the challenge-relevant elements L` ˜Dt∗,(T+2`∗+b∗)R`, and (b) all other generator

elements, including the generator element L` ˜DT+2`∗+b∗R`.

46

3. Case-3: ` < `∗ and b = 1− x∗φ(`):

In this case, B should set Nt∗,`,b,w,v to zero (as previous hybrids have eliminated this program matrix), while theconsistency check matrix C`∗,b∗,(w,v) should be uniformly random. Hence, to simulate this, it suffices for B toappropriately subset-sum over only the generator elements it received as input, including the generator element

L` ˜DT+2`∗+b∗R`..

4. Case-4: ` = `∗ and b = 1− b∗:

In this case, B should set Nt∗,`,b,w,v to either zero or uniformly random as per the original program and theconsistency check matrix C`∗,b∗,(w,v) to the zero matrix in Rm×m. Hence, to simulate this, B can appropriatelysubset-sum over the following input elements: (a) the “special” challenge-index elements L`∗Dt∗R`∗ , and (b)

all generator elements excluding the generator element L` ˜DT+2`∗+b∗R`.

5. Case-5: ` = `∗ and b = b∗:

In this case, B uses the challenge term provided to it as input. Note that this is an acceptable simulation strategyas B should set the consistency check matrix C`∗,b∗,(w,v) to uniformly random in this case.

At this point, observe the following:

1. If the challenge sample is of the form L`∗Dt∗R`∗ , then so far, B has properly simulated “guarded” versions ofthe program-carrying matrices as per Expt`∗ .

2. If the challenge sample is of the form L`∗˜Dt∗,(T+2`∗+b∗)R`∗ , then so far, B has properly simulated “guarded”

versions of the program-carrying matrices as per Expt`∗−1.

Real World: Enforcer Matrices. For each variable index i ∈ [N ] and for each bit b ∈ {0, 1}, the challenger in thereal program switching security game generates an additional “enforcer matrix” Ei,b of dimension (2(L+N) +T )m×(2(L+N) + T )m, structured as:

Ei,b =

Ti,b

C(i,1),(b,0)

C(i,1),(b,1)

. . .C(i,L+N),(b,0)

C(i,L+N),(b,1)

,

where for each i ∈ [N ], each `′ ∈ [L+N ], and each b, b′ ∈ {0, 1}, we have

C(`,`′),(b,b′) =

{0 if (i, b′) = (φ`, b),


Simulation: Enforcer Matrices. In this simulation, B structures the “activation-enforcer” matrix Ti,b as a blockdiagonal matrix in RTm×Tm, as described below:

Ti,b =

T1,i,b

. . .TT,i,b

,47

where for each program index t ∈ [T ] \ {t∗}, the block matrix Tt,i,b is simulated as follows:

Tt,i,b =

{0 if G[i, t, b] = 0,


We explain later how the block submatrices corresponding to the challenge program index t∗ are handled.We now describe how B “actually” simulates “guarded” versions of the aforementioned enforcer matrices using its

own input elements. We begin by noting that by appropriately subset-summing over the generator elements received asinput, B can simulate “guarded” versions of all consistency sub-matrices and all block submatrices in the “activation-enforcer” matrix Ti,b, except for the block submatrix corresponding to the diagonal slot t∗. The reason B cannotsimulate this submatrix is that by definition of the subspace hiding assumption, it is not provided with the generatorelements corresponding to the diagonal slot t∗.

Hence, the crux of the reduction lies in how B simulates the enforcer block matrices Tt∗,i,b for different values of(i, b). This simulation is broken into several sub-cases depending on the values of (i, b) ∈ [N ]× {0, 1}, as describedbelow:

1. Case-1: G[i, t∗, b] = 0:

In this case, B should set Tt∗,i,b to the zero matrix in Rm×m. Hence, to simulate this, it suffices for B toappropriately subset-sum over only the generator elements it received as input, including the generator element

LL+i ˜DT+2`∗+b∗RL+i.

2. Case-2: G[i, t∗, b] = 1:

In this case, it must be that either φ(`∗) 6= i or b∗ 6= b. This is because, in column t∗ and row i of theactivation matrix G, there can be only one entry equal to 1 (since exactly one input is activated), and the entryG[φ(`∗), t∗, 1− b∗] = 1 by definition of b∗. Hence, in these cases, B should set Tt∗,i,b to a uniformly distributedmatrix in Rm×m.

To simulate this, we claim that B can appropriately subset-sum over the following input elements: (a) the

challenge-relevant elements LL+i ˜Dt∗,(T+2`∗+b∗)RL+i, and (b) all generator elements including the generator

element LL+i ˜DT+2`∗+b∗RL+i.

To see that B uses a sound simulation strategy in Case-2, observe that in this case, it is not a problem if theconsistency check matrix C`∗,b∗ is set to a uniformly distributed matrix in Rm×m, as either φ(`∗) 6= i or b∗ 6= b. Recallthat in our parallel iO construction, for any enforcer matrix E′i,b, a consistency check submatrix C`,b′ should be set to auniformly distributed matrix in Rm×m if either φ(`) 6= i or b 6= b′.

Putting Everything Together. Finally, observe the following:

1. If the challenge sample is of the form L`∗Dt∗R`∗ , then B has properly simulated “guarded” versions of theprogram-carrying matrices and the enforcer matrices as per Expt`∗ .

2. If the challenge sample is of the form L`∗˜Dt∗,(T+2`∗+b∗)R`∗ , then B has properly simulated “guarded” versions

of the program-carrying matrices and the enforcer matrices as per Expt`∗−1.

This establishes the computational indistinguishability of Expt`∗−1 Expt`∗ . The computational indistinguishabilityof Expt0 and ExptL follows by a simple hybrid argument.

Next, we argue that the distribution of ExptL is statistically close to the distribution of another experiment Expt′L,where the challenge program Pt∗ replaced by another program P ′t∗ of the same depth and input access pattern thatagrees with Pt∗ on the single activated input. This follows from the following lemma:

48

Lemma 7.3. Let x = (x1, . . . , xN ) denote a single input to a matrix branching program P = {M`,b}`∈[L],b∈{0,1},and suppose that we “erase” the subset of permutation matrices that do not correspond to the single input x, i.e., thefollowing set of permutation matrices is “erased”:

{M`,1−xφ(`)}`∈[L].

Then if Z1, . . . , ZL−1 ∈ {0, 1}5×5 are uniformly sampled permutation matrices, the distribution of the following set ofpermutation matrices:

{N`,xφ(`) = Z−1`−1M`,xφ(`)Z`}`∈[L],

depends only on the output of the branching program P when evaluated on the single input x.

Given the aforementioned information-theoretic transition from ExptL to Expt′L, we can apply a similar sequence ofhybrid steps to “reverse-transition” computationally from Expt′L to Expt′0, by gradually restoring the deleted permutationsub-matrices, albeit with respect to the challenge program P ′t∗ instead of Pt∗ .

This completes our proof of single-input program switching security.

7.3 Completely Inactive Program Security and Intra-Column SecurityLemma 7.4. Assuming that the subspace hiding assumption holds, our iaiO construction achieves completely inactiveprogram security.

Proof. Leveraging techniques introduced in [GLSW15], we can show that the proof of completely inactive programsecurity follows from the same hybrid arguments as used in the proof of single input switching security.

Note that in the completely inactive program security game, we “erase” the permutation sub-matrices correspondingto the challenge program Pt∗ from all of the program-carrying matrices, and not just the matrices that do not correspondto a specific input. Once we erase all of the sub-matrices, we can again “reverse-insert” permutation sub-matricescorresponding to some other program P ′t∗ . We can use the same hybrid arguments as in the proof of single inputswitching security to argue that each such transition is computationally indistinguishable

Note that unlike the proof of single input switching security, here we do not need the information-theoretic transitionargument from Killian, as we are able to erase all the matrices, leaving no distribution that needs to be matched betweenthe old program Pt∗ and the new program P ′t∗ .

Lemma 7.5. Assuming that the subspace hiding assumption holds, our iaiO construction achieves intra-columnsecurity.

Proof. Here we can again leverage the techniques presented in [GLSW15] to show that intra-column security followsfrom an iterative application of the arguments used in the proof of inter-column security.

8 From “Baby” Subspace Hiding Assumption To Full AssumptionIn this section, we show that the baby subspace hiding assumption as in Definition 6.2 implies the general subspacehiding assumption as in definition 6.1. More concretely, we state and prove the following lemma.

Lemma 8.1. Assuming that the baby subspace hiding assumption as in Definition 6.2 holds over a ring R, the generalsubspace hiding assumption as in definition 6.1 holds over the same ring R.

Proof. To prove this lemma, we show that given a PPT algorithm A that breaks the general subspace hiding assumptionwith non-negligible advantage, one can construct a PPT algorithm B that breaks the baby subspace hiding assumptionwith non-negligible advantage. For ease of exposition, we first show the reduction for the special case where Achooses challenge-slots (i∗0, i

∗1) = (1, 2). We subsequently argue that the reduction works for any arbitrary choice of

challenge-slots.

49

Inputs to B. As per Definition 6.2,B receives as input several terms of the following kinds (we assume without lossof generality that B chooses i∗0 = 1 and i∗1 = 2):

• Generators: For each j ∈ [z]: many samples of the form LjD1Rj , where D1 is a randomly sampled matrix ofthe appropriate form as described above, except for when j = 1 and j = z, where the samples are of the formI2D1R1 and LzD1(I2)T , respectively.

• Challenge-Relevant Elements: For each j ∈ [z]: many samples of the form LjD1,2Rj , where D1,2 is arandomly sampled matrix of the appropriate form, except for when j = 1 and j = z, where the samples are ofthe form I2D1,2R1 and LzD1,2(I2)T , respectively.

• Special Challenge-Index Elements: Many samples of the form Lj∗D2Rj∗ , where D2 is a randomly sampledmatrix of the appropriate form, except for when j∗ = 1 or j∗ = z, where the samples are of the form I2D2R1 orLzD2(I2)T , respectively.

• The Challenge Element: A sample that is of one of the two following forms:

– Lj∗D1Rj∗ if b = 0, or

– Lj∗D1,2Rj∗ if b = 1,

where D1 and D1,2 are randomly sampled matrices of the appropriate form, except for when j∗ = 1, where thesample is of one of the two following forms:

– I2D1R1 if b = 0, or

– I2D1,2R1 if b = 1,

or when j∗ = z, where the sample is of one of the two following forms:

– LzD1(I2)T if b = 0, or

– LzD1,2(I2)T if b = 1.

Simulating Inputs to A. Observe that B essentially needs to simulate the terms to be provided to A that are notalready a part of its own challenge for the baby subspace assumption. Interestingly, these terms to be simulated are, bydefinition, orthogonal to the terms thet B receives as part of its own challenge input. In other words, B needs to: (a)“lift” its own inputs to be part of the general subspace assumption challenge, and (b) simulate the remaining terms in thegeneral subspace assumption challenge, which belong to orthogonal subspaces.

An Initial Attempt. Suppose the guard matrices {Lj ,Rj} in B’s challenge have dimensions m× 2n and 2n×m,respectively. Note that B does not receive the actual guard matrices in the clear; they are embedded in the challengeelements. B generates a fresh set of guard matrices {Lj,`−2,Rj,`−2} of dimensions m× (`− 2)n and (`− 2)n×m,respectively, satisfying the same distributional and relationship requirements as in the subspace hiding assumption. Thereader may refer our iaiO construction in Section 5 for the details of how this may be done efficiently. Next, supposehypothetically, that B concatenated the guard matrices embedded in its challenge elements with the freshly simulatedset of guard matrices to produce a new set of guard matrices {Lj,`, Rj,`} as follows:

Rj,` =

Rj 0R

0R Rj,`−2

, Lj,` =

Lj 0R

0R Lj,`−2

.Note that this is hypothetical since B is not actually provided with the set of guards {Lj ,Rj}. Additionally, thenewly constructed guard matrices are not distributed exactly as dictated by the subspace hiding assumption guards.

50

Nonetheless, this hypothetical set of guards are useful in the sense that they allow us to showcase how B can simulatethe challenge to A by exploiting the orthogonality of various terms it receives as input and the fresh terms it needs tosimulate, albeit with some departures from the desired distribution. This is described subsequently.

1. Simulating Generators:

For each j ∈ [z] and each i ∈ [`] \ {2}, B needs to simulate many samples of the form Lj,`Di`Rj,`, where Di

` isa randomly sampled matrix of the appropriate form as described above (the subscript ` is used to indicate that itis contains ` diagonal blocks), except for when j = 1 and j = z, where the samples are of the form I`Di

`R1,`

and Lz,`Di`(I

`)T , respectively. We divide the simulation strategy into the following cases:

(a) Case-1: i = 1:

Note that for each j ∈ [z], we have

Lj,`D1`Rj,` =

LjD1Rj 0R

0R 0R

,except for when j = 1 and j = z, where we have

I`D1`R1,` =

[I2D1R1 0R

], Lz,`D1

`(I`)T =

[LzD1(I2)T

0R

].

So in this case, B can directly use the generators it receives as input for the simulation.

(b) Case-2: i 6= 1 and i 6= 2:

Note that for each j ∈ [z], we have

Lj,`Di`Rj,` =

0R 0R

0R Lj,`−2Di`−2Rj,`−2

,except for when j = 1 and j = z, where we have

I`Di`R1,` =

[0R I`−2DiR1,`−2

], Lz,`Di

`(I`)T =

0R

Lz,`−2Di(I`−2)T

.So in this case, B can sample the generators directly without using its own inputs.

2. Simulating Challenge-Relevant Elements.

For each j ∈ [z], B needs to simulate many samples of the form Lj,`D1,2` Rj,`, where D1,2

` is a randomly sampledmatrix of the appropriate form as described above (the subscript ` is used to indicate that it is contains ` diagonal

blocks), except for when j = 1 and j = z, where the samples are of the form I`D1,2` R1,` and Lz,`D

1,2` (I`)T ,

respectively.

Again, note that for each j ∈ [z], we have

Lj,`D1,2` Rj,` =

LjD1,2Rj 0R

0R 0R

,51

except for when j = 1 and j = z, where we have

I`D1,2` R1,` =

[I2D1,2R1 0R

], Lz,`D

1,2` (I`)T =

LzD1,2(I2)T

0R

.So in this case, B can simulate using the challenge-relevant elements it receives as input.

3. Simulating Special Challenge-Index Elements:

B needs to simulate many samples of the form Lj∗,`D2`Rj∗,`, where Di

` is a randomly sampled matrix of theappropriate form as described above (the subscript ` is used to indicate that it is contains ` diagonal blocks),except for when j∗ = 1 or j∗ = z, where the samples are of the form I`D2

`R1,` or Lz,`D2`(I

`)T , respectively.

Again, note that we have

Lj∗,`D2`Rj∗,` =

Lj∗D2Rj∗ 0R

0R 0R

,except for when j∗ = 1 or j∗ = z, where we have

I`D2`R1,` =

[I2D2R1 0R

], Lz,`D2

`(I`)T =

LzD2(I2)T

0R

.So even in this case, B can simulate using the special challenge-index elements it receives as input.

4. Simulating the Challenge Element:

Note that we have

Lj∗,`D1`Rj∗,` =

Lj∗D1Rj∗ 0R

0R 0R

, Lj∗,`D1,2` Rj∗,` =

Lj∗D1,2Rj∗ 0R

0R 0R

,except for when j∗ = 1, where we have

I`D1`R1,` =

[I2D1R1 0R

], I`D1,2

` R1,` =[I2D1,2R1 0R

],

or when j∗ = z, where we have

Lz,`D1`(I

`)T =

LzD1(I2)T

0R

, Lz,`D1,2` (I`)T =

LzD1,2(I2)T

0R

,Hence, B can forward its own challenge element to A.

52

Re-randomizing the Guard Matrices. It remains to show how B can re-randomize the hypothetically created guardsto have the correct distribution as per the subspace hiding assumption, while retaining the ability to simulate as illustratedabove.

To do this, B uniformly samples an additional set of guard matrices {Lj , Rj} of dimensions m′×2m and 2m×m′,respectively, for some m′ > 6m log |R| subject to the constraint that Rj

ˆLj+1 = I (this is done via the exact sameprocedure as used to sample the guard matrices in our iaiO construction). Next, B (hypothetically) creates a set of“mega guards” as:

R∗j,` = Rj,`Rj , L∗j,` = LjLj,`.

First, note that each product of the form R∗j,`L∗j+1,` is distributed exactly the same as Rj,`Lj+1,`. So, if B takes all

of the aforementioned simulated terms with the incorrectly distributed guards and left and right multiplies them with(where appropriate) with the Lj and Rj terms, respectively, then the overall relations remain the same.

It remains to show that the “mega guards” are distributed appropriately. Note that, by Lemma 3.7, we can write

R∗j,` =[Aj AjXj + Cj

], L∗j,` =

[−XjBj

Bj

]for uniformly random Aj , Xj , Bj and Cj , subject to the restriction that CjBj = I. By Corollary 10.3 it follows thatR∗j,` and R∗j,` are distributed indistinguishably from uniformly sampled random matrices with the desired productdistribution.

Handling Arbitrary Challenge-Slots. Finally, we consider the general case where the adversary A in the subspacehiding experiment makes an arbitrary choice of challenge-slots (i∗0, i

∗1) ∈ [`]× [`], as opposed to the specific choice

(i∗0, i∗1) = (1, 2). Note that the only difference is that in the general case, B needs to use its own challenge elements in

the slots (i∗0, i∗1) and not in the slots (1, 2). We show how this can be handled by B.

Suppose again the guard matrices {Lj ,Rj} in B’s challenge have dimensions m× 2n and 2n×m, respectively,and suppose these are of the form

Rj =

[−− Rj,1 −−−− Rj,2 −−

], Lj =

| |Lj,1 Lj,2| |

,where the submatrices have dimensions m× n and n×m, respectively.

Note that B does not receive the actual guard matrices in the clear; they are embedded in the challenge elements. Asa first step, B changes its strategy of generating the new set of (improperly distributed) guard matrices {Lj,`, Rj,`}. Inparticular, B generates three fresh sets of guard matrices (we assume without loss of generality that i∗1 > i∗0):

• {Lj,[1,i∗0 ],Rj,[1,i∗0 ]} that have dimensions m× (i∗0 − 1)n and (i∗0 − 1)n×m, respectively,

• {Lj,[i∗0+1,i∗1−1],Rj,[i∗0+1,i∗1−1]} that have dimensions m× (i∗1 − i∗0 − 1)n and (i∗1 − i∗0 − 1)n×m, respectively,

• {Lj,[i∗1+1,`],Rj,[i∗1+1,`]} with dimensions m× (`− i∗1 − 1)n and (`− i∗1 − 1)n×m, respectively,

that all satisfy the same distributional and relationship requirements as in the subspace hiding assumption. Next,hypothetically, B concatenates the guard matrices embedded in its challenge elements with the freshly simulated set ofguard matrices to produce a new set of block-diagonal guard matrices {Lj,`, Rj,`} as follows:

Rj,` =

Rj,[1,i∗0 ]

Rj,1

Rj,[i∗0+1,i∗1−1]

Rj,2

Rj,[i∗1+1,`]

,

53

and

Lj,` =

Lj,[1,i∗0 ]

Lj,1

Lj,[i∗0+1,i∗1−1]

Lj,2

Lj,[i∗1+1,`]

.

Note that this is again hypothetical since B is not actually provided with the set of guards {(Lj,1,Rj,1), (Lj,2,Rj,2)}.Additionally, the newly constructed guard matrices are not distributed exactly as dictated by the subspace hidingassumption guards. Nonetheless, it serves to showcase how B can hypothetically “place” the guards in its own challengefrom the baby subspace hiding experiment into the challenge-slots chosen by the adversary A in the subspace hidingexperiment.

Next, it follows from arguments very similar to those presented for the specific case that this hypothetical set ofguards can be used by B to generate the challenge to A by exploiting the orthogonality of various terms it receives asinput and the fresh terms it needs to simulate, albeit with certain departures from the desired distribution. Finally, torepair these departures, B can use the same trick as before to (hypothetically) re-randomize the guards, and thus makesure that all the terms in the challenge to A are distributed as in the real subspace hiding experiment.

This completes the proof of Lemma 8.1.

Looking ahead to the next section, we prove in Lemma 9.1 that the baby subspace hiding assumption holds over theoutput ring R of a ring homomorphic synthesizer. Putting together Lemma 9.1 and Lemma 8.1, we immediately get thefollowing lemma.

Lemma 8.2. The subspace hiding assumption as in Definition 6.1 holds over the output ring R of a ring homomorphicsynthesizer.

This completes the proof of the subspace hiding assumption.

9 Proof of Baby Subspace Hiding AssumptionIn this section, we prove that the baby subspace hiding assumption as in Definition 6.2 holds over any ring R that is theoutput ring of a ring-embedded homomorphic synthesizer.

9.1 Overview of Proof StrategyBefore presenting the formal proof, we provide some additional insight into the baby subspace hiding assumption andthe proof strategy for the same using an example. Consider an instance of the baby subspace assumption experimentwith ` = 2 and z = 4, and suppose that the adversaryA chooses the challenge-index j∗ = 3. Then the challenger needsto provide A with terms of the following form (we use X generically to denote random submatrices of the appropriatedimensions:):

1. Generators:

The challenger provides the adversary A with several generators of the following forms:

54

G1 =[X 0R

]·[−− R1,1 −−−− R1,2 −−

], G2 =

| |L2,1 L2,2

| |

· [X 0R0R 0R

]·[−− R2,1 −−−− R2,2 −−

],

G3 =

| |L3,1 L3,2

| |

· [X 0R0R 0R

]·[−− R3,1 −−−− R3,2 −−

], G4 =

| |L4,1 L4,2

| |

· [X0R

]

2. Challenge-Relevant Elements.

The challenger provides the adversary A with several challenge-relevant elements of the following form (notethat in the baby subspace assumption experiment, the challenge-slot pair is (1, 2) by default):

H1 =[X X

]·[−− R1,1 −−−− R1,2 −−

], H2 =

| |L2,1 L2,2

| |

· [X 0R0R X

]·[−− R2,1 −−−− R2,2 −−

],

H3 =

| |L3,1 L3,2

| |

· [X 0R0R X

]·[−− R3,1 −−−− R3,2 −−

], H4 =

| |L4,1 L3,2

| |

· [XX

]

3. Special Challenge-Index Elements.

The challenger provides the adversaryAwith several special challenge-index elements of the following form (notethat for our example, the challenge-index j∗ = 3):

S =

| |L3,1 L3,2

| |

· [0R 0R0R X

]·[−− R3,1 −−−− R3,2 −−

]

4. Challenge Element.

Finally, the challenger provides the adversary A with a challenge element of the following form (depending onthe challenge-bit b):

C0 =

| |L3,1 L3,2

| |

· [X 0R0R 0R

]·[−− R3,1 −−−− R3,2 −−

]or

C1 =

| |L3,1 L3,2

| |

· [X 0R0R X

]·[−− R3,1 −−−− R3,2 −−

]

Intuitively, this assumption is secure because all elements not corresponding to the challenge-index are eitherrandom in the first and second slots or are random in the first slot and zero in the second slot. So all possible “legitimate”multiplications that can be performed efficiently will never zero the first slot of the challenge element, allowing it tomask the value of the second slot (where the challenge elements differ). Note that if there were an element that wasrandom in the second slot and zero in the first, the adversaryA could use it to trivially break security–but these elementsar not provided. We illustrate this intuition some more using the aforementioned example.

55

Distribution Requirements. Intuitively, we would like the terms provided by the challenger to the adversary A inthe baby subspace assumption experiment to be computationally indistinguishable from random, while being subject tocertain constraints, namely, some of them should multiply to zero by definition.

Suppose we (informally) label the elements provided by the challenger to the adversary A in the baby subspaceassumption experiment by type and index. We label the generators as G1, . . . ,Gz , the challenge-relevant elements asH1, . . . ,Hz , the special challenge-index element as S and the final challenge element as C. Also, let the challenge-index chosen by the adversary A be j∗. Note that the following relations must hold in our assumption for any j ∈ [j∗]and any j′ ∈ [j∗ + 1, z], respectively:

Gj

j∗−1∏i=j+1

Hi

S = 0R , S

j′−1∏i=j∗+1

Hi

Gj′ = 0R.

The astute reader may observe at this point that these are the only relations that the adversary A can efficiently verify.Thus, intuitively, we wish to establish that the terms provided by the challenger to the adversary A in the baby subspaceassumption experiment are computationally indistinguishable from a set of terms that are sampled uniformly fromdistributions that additionally satisfy the aforementioned constraints.

Mapping to Guard Matrices. We now map the aforementioned idea onto the guard matrices embedded inside theterms provided by the challenger to the adversaryA in the baby subspace assumption experiment. We revert back to ourprevious example where we considered an instance of the baby subspace assumption experiment with ` = 2 and z = 4,with the additional assumption that the adversary A chooses the challenge-index j∗ = 3. We again present the termsprovided by the challenger to the adversary A; but we additionally depict the following: we label the guard submatricesthat do not need to satisfy constraints (i.e., submatrices which are either zeroed out or for which additional orthogonalterms are not provided to the adversary A) with the color blue. In other words, the terms look as follows:

1. Generators:

The challenger provides the adversary A with several generators of the following forms:

G1 =[X 0R

]·[−− R1,1 −−−− R1,2 −−

], G2 =

| |L2,1 L2,2

| |

· [X 0R0R 0R

]·[−− R2,1 −−−− R2,2 −−

],

G3 =

| |L3,1 L3,2

| |

· [X 0R0R 0R

]·[−− R3,1 −−−− R3,2 −−

], G4 =

| |L4,1 L4,2

| |

· [X0R

]

2. Challenge-Relevant Elements.

The challenger provides the adversary A with several challenge-relevant elements of the following form (notethat in the baby subspace assumption experiment, the challenge-slot pair is (1, 2) by default):

H1 =[X X

]·[−− R1,1 −−−− R1,2 −−

], H2 =

| |L2,1 L2,2

| |

· [X 0R0R X

]·[−− R2,1 −−−− R2,2 −−

],

H3 =

| |L3,1 L3,2

| |

· [X 0R0R X

]·[−− R3,1 −−−− R3,2 −−

], H4 =

| |L4,1 L4,2

| |

· [XX

]

56

3. Special Challenge-Index Elements.

The challenger provides the adversaryAwith several special challenge-index elements of the following form (notethat for our example, the challenge-index j∗ = 3):

S =

| |L3,1 L3,2

| |

· [0R 0R0R X

]·[−− R3,1 −−−− R3,2 −−

]

4. Challenge Element.

Finally, the challenger provides the adversary A with a challenge element of the following form (depending onthe challenge-bit b):

C0 =

| |L3,1 L3,2

| |

· [X 0R0R 0R

]·[−− R3,1 −−−− R3,2 −−

]or

C1 =

| |L3,1 L3,2

| |

· [X 0R0R X

]·[−− R3,1 −−−− R3,2 −−

]

The important thing to note from the aforementioned illustration is the following: suppose that the challenger, in asequence of hybrid experiments, replaces the “blue” guard submatrices in the aformentioned depiction with uniformlyrandom submatrices of the same dimension. This does not violate any of the aforementioned constraints as these arethe submatrices for which additional orthogonal terms are not provided to the adversary A. Additionally, once allthe “blue” guard submatrices have been replaced with with uniformly random submatrices of the same dimension,indistinguishability of the challenge element from a random matrix (independent of the challenge bit b) followsimmediately.

Proof Strategy. Based on this observation, our proof strategy for the baby subspace hiding assumption will be toreplace the “blue” guard submatrices in the aformentioned depiction with uniformly random submatrices of the samedimension, via a sequence of hybrid experiments. The proof that each hybrid is indistinguishable from the previoushybrid relies intuitively on the following observation: by invoking Theorem 4.2, we can prove that the following arecomputationally indistinguishable whenever the ring R is the output ring of a ring homomorphic synthesizer: |

−− X0 −−|

and

|Y0

|

[X1

] [−− Y1 −−

]where X0,X1,Y0 and Y1 are uniform matrices of appropriate dimensions.

9.2 Formal Proof of Baby Subspace Hiding AssumptionGiven the above intuition, we now present the formal proof of the baby subspace hiding assumption. We state and provethe following lemma.

Lemma 9.1. The baby subspace hiding assumption as in Definition 6.2 holds over the output ring R of a ringhomomorphic synthesizer.

We prove this lemma via a sequence of hybrid experimentsH0 throughHz , as described below, where z = poly(λ)parameterizes the baby subspace hiding assumption (we also assume in the remainder of the description that j∗ ∈ [z] isthe challenge-index chosen by the adversary A in the baby subspace hiding assumption experiment):

57

1. H0: This experiment is identical to the baby subspace hiding assumption experiment.

2. Hj for j ∈ [j∗ − 1]: This experiment is identical to the previous experiment Hj−1 except for the manner inwhich the challenger generates the guard matrices Rj and Lj+1. Suppose that in the experimentHj−1, the guardmatrices Rj and Lj+1 are generated as:

Rj =

[−− Rj,1 −−−− Rj,2 −−

], Lj+1 =

| |Lj+1,1 Lj+1,2

| |

.In the experiment Hj , the submatrices Rj,2 and Lj+1,1 are replaced by uniformly random matrices. Moreconcretely, in the experimentHj , we have

Rj =

[−− Rj,1 −−−− X1 −−

], Lj+1 =

| |X2 Lj+1,2

| |

,where X1 and X2 are matrices of the appropriate dimensions with uniformly sampled entries from the ring R.

3. Hj for j ∈ [j∗, z − 1]: This experiment is identical to the previous experimentHj−1 except for the manner inwhich the challenger generates the guard matrices Rz−(j−j∗)−1 and Lz−(j−j∗). Suppose that in the experimentHj−1, the guard matrices Rz−(j−j∗)−1 and Lz−(j−j∗) are generated as:

Rz−(j−j∗)−1 =

[−− Rz−(j−j∗)−1,1 −−−− Rz−(j−j∗)−1,2 −−

], Lz−(j−j∗) =

| |Lz−(j−j∗),1 Lz−(j−j∗),2

| |

.In the experiment Hj , the submatrices Rz−(j−j∗)−1,2 and Lz−(j−j∗),1 are replaced by uniformly randommatrices. More concretely, in the experimentHj , we have

Rz−(j−j∗)−1 =

[−− Y1 −−−− Rz−(j−j∗)−1,2 −−

], Lz−(j−j∗) =

| |Lz−(j−j∗),1 Y2

| |

,where Y1 and Y2 are matrices of the appropriate dimensions with uniformly sampled entries from the ring R.

4. Hz : In this hybrid, the challenger does not generate the challenge element depending on the bit b. Instead, itgenerates a uniform square matrix C and provides it to the adversary A, except when j∗ = 1 or j∗ = z, in whichcases, the challenger provides the adversary with either I`C, or C(I`)T , respectively.

Indistinguishability of Outer Hybrids. We state and prove the following lemma.

Lemma 9.2. If R is the output of a ring homomorphic synthesizer, then hybridH0 is computationally indistinguishablefrom hybridH1.

Proof. We begin by focusing on the guard submatrix R1,2. Note that the only terms involving R1,2 are the challenge-relevant terms, There are other terms that might reveal information on R1,2 (those terms that contain L2,1), but we shallignore them for now. Let H1 be a challenge-relevant term of the form

H1 =[X X

]·[−− R1,1 −−−− R1,2 −−

]so if we can show that H1 is indistinguishable from random, then we are done.

58

In lemma 10.4, we show that for any random matrices R1,1 ∈ Rn×2m, R1,2 ∈ Rn×2m, L2,1 ∈ R2m×n, andL2,2 ∈ R2m×n, subject to the constraint that

R1,1L2,2 = 0R and R1,2L2,1 = 0R,

and uniformly random matrices X1,X2 ∈ Rn×n and Z ∈ Rn×2m, then the following two tuples are indistinguishable:

(R1,1,R1,2,L2,1,L2,2, (X1R1,1 + X2R1,2)) and (R1,1,R1,2,L2,1,L2,2,Z) .

Note that (X1R1,1 + X2R1,2) is the distribution of terms of the form H1 if R1,2 is distributed correctly, and Z is thedistribution of terms of the form H1 if R1,2 is distributed randomly (note that we are using the fact that multiplicationof a two random matrices is random, which follows from Theorem 4.2).

Given R1,1, R1,2, L2,1, L2,2 and terms of the form H1 that are either real or random, we can easily simulate allof the remaining terms with the appropriate distribution. Note that if we have randomized R1,2, then L2,1 is nowcompletely independent of everything else and distributed randomly as desired. So, by invoking Lemma 10.4, wecomplete the proof of Lemma 9.2.

We also state the following lemma, the proof of which follows from arguments very similar to those in the proof ofLemma 9.2 and is hence not detailed.

Lemma 9.3. If R is the output of a ring homomorphic synthesizer, then hybridHz−2 is computationally indistinguish-able from hybridHz−1.

Indistinguishability of Inner Hybrids. We now state and prove the following lemma.

Lemma 9.4. If R is the output of a ring homomorphic synthesizer, then for each j ∈ [2, j∗ − 1], hybrid Hj−1 iscomputationally indistinguishable from hybridHj .

Proof. As before, let’s look closely at one guard submatrix in particular: namely, Rj,2. Note that the only termsinvolving Rj,2 are the challenge-relevant terms. There are other terms that might reveal information on Rj,2 (thoseterms that contain Lj+1,1), but we shall ignore them for now. Let Hj be a such a challenge-relevant term of the form

Hj =

| |Lj,1 Lj,2| |

· [X 0R0R X

]·[−− Rj,1 −−−− Rj,2 −−

]

Now observe that in hybridHj−1, the submatrix Lj,1 has already been randomized (as well as its predecessor guardsubmatrix Rj−1,1), so we may replace it with a random matrix Z without loss of generality. In other words, we have

Hj =

| |Z Lj,2| |

· [X 0R0R X

]·[−− Rj,1 −−−− Rj,2 −−

],

or equivalently,Hj = ZX1Rj,1 + Lj,2X2Rj,2,

where X1 and X2 are submatrices of appropriate dimensions with entries sampled uniformly from the ring R. Nowwhen we additionally replace the submatrix Rj,2 with a uniformly random submatrix Z′ of the same dimension, thechallenge-relevant term takes the form

Hj = ZX1Rj,1 + Lj,2X2Z′.

In Lemma 10.5, we show that for random matrices of appropriate dimensions Rj−1,1 ∈ Rn×2m, Lj,2 ∈ R2m×n,Rj,1 ∈ Rn×2m, Rj,2 ∈ Rn×2m, Lj+1,1 ∈ R2m×n, and Lj+1,2 ∈ R2m×n subject to the constraints that,

Rj−1,1Lj,2 = 0R and Rj,1Lj+1,2 = 0R and Rj,2Lj+1,1 = 0R,

59

and for uniformly random matrices X1,X2 ∈ Rn×n, Z ∈ Rn×2m and Z′ ∈ Rn×2m, given the tuple of matrices

(Rj−1,1,Z,Lj,2,Rj,1,Rj,2,Lj+1,1,Lj+1,2) ,

the following terms are computationally indistinguishable:

(ZX1Rj,1 + Lj,2X2Rj,2) and (ZX1Rj,1 + Lj,2X2Z′) .

Note that on the left is the distribution of terms of the form Hj if Rj,2 is distributed correctly (as in hybrid Hj−1),and on the right is the distribution of terms of the form Hj if Rj,2 is substituted with a uniformly random submatrixZ′ (as in hybridHj). Additionally, given the tuple of matrices as described above and terms of the form Hj , we caneasily simulate all of the remaining terms with the appropriate distribution. Finally, once we have randomized Rj,2,then Lj+1,1 is now completely independent of everything else and distributed randomly as desired. So, by invokingLemma 10.5, we complete the proof of Lemma 9.4.

We also state the following lemma, the proof of which follows from arguments very similar to those in the proof ofLemma 9.4 and is hence not detailed.

Lemma 9.5. If R is the output of a ring homomorphic synthesizer, then for each j ∈ [j∗ + 1, z − 1], hybridHj−1 iscomputationally indistinguishable from hybridHj .

Indistinguishability ofHz−1 andHz . Finally, we state and prove the following lemma.

Lemma 9.6. If R is the output of a ring homomorphic synthesizer, then hybridHz−1 is computationally indistinguish-able from hybridHz .

Proof. Note that in both the hybrids Hz−1 and Hz , all guard matrices {Lj ,Rj} that could be partially random-ized (without impacting the output of their desired product distributions as mandated by the subspace hiding theassumption) have, in fact, been partially randomized. The only difference between the hybridsHz−1 andHz is that thechallenge element to be provided to the adversary A is additionally randomized in the final hybridHz .

Recall that, in Hz−1 (and all the hybrids before it), the challenge elements have one of the two forms statedbelow (depending on the challenge bit b):

C0 =

| |Lj∗,1 Lj∗,2| |

· [X 0R0R 0R

]·[−− Rj∗,1 −−−− Rj∗,2 −−

]or

C1 =

| |Lj∗,1 Lj∗,2| |

· [X 0R0R X

]·[−− Rj∗,1 −−−− Rj∗,2 −−

]Next, observe the following:

• The guard submatrix Lj∗,1 is randomized in hybridHj∗−1 and all subsequent hybrids.

• The guard submatrix Rj∗,1 is randomized in hybridHz−1 and all subsequent hybrids.

In other words, inHz−1, the challenge elements have one of the two forms stated below (depending on the challengebit b):

C0 =

| |Xj∗,1 Lj∗,2| |

· [X 0R0R 0R

]·[−− Yj∗,1 −−−− Rj∗,2 −−

]or

C1 =

| |Xj∗,1 Lj∗,2| |

· [X 0R0R X

]·[−− Yj∗,1 −−−− Rj∗,2 −−

],

60

or equivalently,C0 = Xj∗,1X1Yj∗,1 or C1 = Xj∗,1X1Yj∗,1 + Lj∗,2X2Rj∗,2,

where Xj∗,1, Yj∗,1, X1 and X2 are uniformly random matrices. Now, observe that terms of the form

Xj∗,1X1Yj∗,1,

are computationally indistinguishable from random by Theorem 4.2 whenever X1 is uniformly random. This inturn implies that the distribution of the challenge element in hybridHz−1 must be computationally indistinguishablefrom random (independent of the challenge bit b), and hence, computationally indistinguishable from that in hybridHz (independent of the challenge bit b). This completes the proof of Lemma 9.6.

Putting Everything Together. Finally, the proof of Lemma 9.1 follows by putting together, in sequence, the proofsof Lemma 9.2, Lemma 9.4, Lemma 9.5, Lemma 9.3 and Lemma 9.6. This completes the proof of security of the babysubspace hiding assumption as in Definition 6.2.

10 Some Useful Lemmata

Lemma 10.1. Let R be a finite ring, and let m,n be integers such that m = 2n and n > 3 log |R|. Assume thatv← Rm, and v∗ sampled uniformly conditioned on vtv∗ = 0R. If a← Rn,~b← Rn, and S← Rn×n then we have

(v,v∗)s≈ (w,w∗),

where wt = (at,atS) ∈ Rm and w∗ =

[−Sbb

]∈ Rm.

Proof. We use the notation v = (v1,v2) and v∗ = (v∗1,v∗2) to denote the first and second half of v and v∗, respectively.

First, by applying Lemma 3.7 we know that (vt1,vt2)

s≈ (at,atX). Now, in order to uniformly sample w∗ conditioned

onatw∗1 + atSw∗2 = 0,

we can first sample a uniform b := w∗2 ← Rn, and then sample w∗1 condition on the equation above. By rearranging, itfollows that

atw∗1 = −atSb.

Now observe that given all the terms in the equation above except w∗1 , the distribution of w∗1 is Sb + k, whereSb is distributed as mentioned above and k is a uniform vector from the set RKer(a).1 By applying Lemma 3.7 again,it follows that (with overwhemling probability) for every k ∈ RKer(a) there exists a matrix S′ ∈ Rn×n such thatS′y = k. Therefore, we can say that the distribution of w∗1 is Sb + S′b = (S + S′)b, where the distribution of S′ isinduced by RKer(a). Since S is uniform and independent of S′, it follows that the distribution of w∗1 is statisticallyclose to Sy where S is uniformly distributed. It follows that

(vt,v∗)s≈ ((at,atS),

[−Sbb

]),

and hence(v,v∗)

s≈ (w,w∗),

as required.1Recall that RKer(a) is the set of all vectors t such that att = 0R.

61

Corollary 10.2. Let R be a finite ring, and let m,n, ` be integers such that m = 2n, n > 3` log |R|, and m is aninteger multiple of `. Assume that V ← R`×m, and V∗ ∈ Rm×` sampled uniformly conditioned on VV∗ = 0. IfA← R`×n, B← Rn×`, and S← Rn×n then we have

(V,V∗)s≈ (W,W∗),

where W = [A | AS] ∈ R`×m and W∗ =

[−SBB

]∈ Rm×`.

Proof. It follows by applying the previous lemma, and observing the fact that M`(R) (the set of square `× ` matricesover R) forms a finite ring.

We also need the following corollary, which plays an essential role in proving that “guard matrices” are distributedproperly.

Corollary 10.3. Let R be a finite ring, and let m,n, ` be integers such that m = 2n, n > 3` log |R|, and m is aninteger multiple of `. Assume that V ← R`×m, and V∗ ∈ Rm×` sampled uniformly conditioned on VV∗ = MBwhere M ∈ R`×m is an arbitrary matrix and B ← Rm×` is uniformly generated. If A ← R`×n, B ← Rn×`, andS← Rn×n then we have

(V,V∗)s≈ (W,W∗),

where W = [A | AS + M] ∈ R`×m and W∗ =

[−SBB

]∈ Rm×`.

Proof. This proof follows by the applying the previous corollary to the coset that is induced by the element MB. (Onecan view the previous corollary as a special case of this one by setting M to be all-zero matrix.)

Lemma 10.4. Let m and n be integers such that m ≥ 6n log |R| where R is the output space of a ring-embeddedhomomorphic synthesizer. Let the matrices R1 ∈ Rn×2m, and R2 ∈ Rn×2m L1 ∈ R2m×n, L2 ∈ R2m×n, be randomsubject to the constraint that

R1L2 = 0 and R2L1 = 0

Suppose we sample two matrices X1,X2 ∈ Rn×n uniformly at random, and let Z ∈ Rn×2m be sampled uniformly atrandom as well. We claim the following two tuples are indistinguishable:

(R1,R2,L1,L2, (X1R1 + X2R2)) and (R1,R2,L1,L2,Z)

Proof. To provide a better intuition, let’s start by visualizing what we want to prove. Suppose we have the followingmatrices: [

−− R1 −−],[−− R2 −−

],

|L1

|

, |L2

|

We claim that, given two sets of orthogonal matrices of ring elements: R1, L2 and R2, L1, the following is indistin-guishable from random for random X1, X2:

[X1 X2

] [−− R1 −−−− R2 −−

]By Corollary 10.2, for random F ∈ Rm×m, G ∈ Rm×n, and H ∈ Rn×m, the set of matrices

A ∈ Rn×2m :=[G GF

], B ∈ R2m×n :=

[−FHH

]are statistically indistinguishable from a randomly chosen pair of matrices(

A′ ∈ R2m×n,B′ ∈ Rn×2m)

62

such that AB = 0. Given this, we can replace the matrices in our assumption with ones of this form.Suppose we define uniformly random matrices R1 ∈ Rn×m, R2 ∈ Rn×m, L1 ∈ Rm×n, L2 ∈ Rm×n, U ∈

Rm×m, and V ∈ Rm×m and set:

R1 =[R1 R1U

], R2 =

[R1 R2V

], L1 =

[−VL1

L1

], L2 =

[−UL2

L2

]

Then our lemma is exactly equivalent to distinguishing the following:([R1, R1U

],[R2, R2V

],[−L1V, L1

],[−UL2, L2

], (X1R1 + X2R2)

)and([

R1, R1U],[R2, R2V

],[−L1V, L1

],[−UL2, L2

],Z)

Now let’s work graphically. Note that

[X1 X2

] [−− R1 −−−− R2 −−

]=[X1 X2

] [R1 UR1

R2 VR2

]=

[X1R1 + X2R2|| X1R1U + X2R2V

]Let C ∈ Rn×m and D ∈ Rn×m be uniformly random matrices. By Theorem 4.2, we know that the following tuplesare indistinguishable: (

R1,X1R1

)and

(R1,C

)(R2,X2R2

)and

(R2,C

)Using this indistinguishability, we can reduce the output of our assumption to[

C + D ||CU + DV]

Note that [C + D ||CU + DV

]=[C + D || (C + D)U + D (V −U)

]Since C and D are uniformly random, we have that, for some random E ∈ Rn×m, the above is identically distributedto [

E |EU + D (V −U)]

Since V and U are random, we know that, for some random W ∈ Rn×m, the above is identically distributed to[E |EU + DW

]We note that this is the case even if V and U are publicly known. Let K ∈ Rn×m be a uniformly random matrix, byTheorem 4.2 it is easy to see that the following are indistinguishable from random

(W,DW) and (W,K)

This allows us to randomize the second term in the above matrix, completing the proof.

Lemma 10.5. Let m and n be integers such that m ≥ 6n log |R| where R is the output space of a ring-embeddedhomomorphic synthesizer. Let the matrices R1,2 ∈ Rn×2m, L2,1 ∈ R2m×n, R2,1 ∈ Rn×2m, and R2,2 ∈ Rn×2m,L3,1 ∈ R2m×n, and L3,2 ∈ R2m×n be random subject to the constraint that, for all relevant i:

Li,0Ri+1,1 = 0 and Li,1Ri+1,0 = 0

63

Suppose we sample two matrices X1,X2 ∈ Rn×n uniformly at random, and let Z ∈ Rn×2m and Z′ ∈ Rn×2m besampled uniformly at random as well. We claim the following: given the terms

R1,2,L2,1,R2,1,R2,2,L3,1,L3,2,Z

the following tuples are indistinguishable:

(L2,1X1R2,1 + ZX2R2,2) and (L2,1X1Z′ + ZX2R2,2)

Proof. Observe that essentially what we are trying to prove is that the following two products are indistinguishablefrom each other: | |

L2,1 Z| |

[X1 00 X2

] [−− R2,1 −−−− R2,2 −−

]and | |

L2,1 Z| |

[X1 00 X2

] [−− Z′ −−−− R2,2 −−

]even when given all of the matrices in the assumption. Note that we are giving out all of the “guard” matrices in the“real” product–L2,1, Z, R2,1 and R2,2–as well as matrices R1,2, L3,2, and L3,1, which are orthogonal to L2,1, R2,1,and R2,2, respectively. Note that Z is totally random and that it is completely independent from all other terms (we arenot giving out anything orthogonal to it). This will be crucial for our proofs.

By Corollary 10.2, for random F ∈ Rm×m, G ∈ Rm×n, and H ∈ Rn×m, the set of matrices

A ∈ Rn×2m :=[G GF

], B ∈ R2m×n :=

[−FHH

]are statistically indistinguishable from a randomly chosen pair of matrices(

A′ ∈ R2m×n,B′ ∈ Rn×2m)

such that AB = 0. Given this, once again we can replace the matrices in our assumption with ones of this form.As before, we define many tuples of orthogonal matrices Let R1,2 ∈ Rm×n, L2,1 ∈ Rn×m, R2,1 ∈ Rm×n,

L3,2 ∈ Rn×m,R2,2 ∈ Rm×n, L3,1 ∈ Rn×m, V1 ∈ Rm×m, U2 ∈ Rm×m, and V2 ∈ Rm×m be distributed uniformlyat random. We can define our original matrices in the following way:

R1,2 =[R1,2 R1,2V1

], L2,1 =

[˜−V1L2,1

L2,1

], R2,1 =

[R2,1 R2,1U2

], L3,2 =

[−U2L3,2

L3,2

],

R2,2 =[R2,2 R2,2V2

], L3,1 =

[−V2L3,1

L3,1

]As a simplification, suppose we set Z = [Z1||Z2] for Z1,Z2 ∈ Rm×n. We can rewrite | |

L2,1 Z| |

[X1 00 X2

] [−− R2,1 −−−− R2,2 −−

]as

| |V1L2,1 Z1

| || |

L2,1 Z2

| |

[X1 00 X2

] [−− R2,1 −− −− R2,1U2 −−−− R2,2 −− −− R2,2V2 −−

]

64

=

| |V1L2,1X1 Z1X2

| || |

L2,1X1 Z2X2

| |

[−− R2,1 −− −− R2,1U2 −−−− R2,2 −− −− R2,2V2 −−

]

Let C1 ∈ Rm×n, C2 ∈ Rm×n, and C3 ∈ Rm×n be uniformly random matrices. By Theorem 4.2, we know that thefollowing are indistinguishable from random:(

L2,1, L2,1

)X1 and

(L2,1,C1

)(Z,ZX2) and

(Z, [C2||C3]

T)

We can rewrite the above product as| |

V1C1 C2

| || |

C1 C3

| |

[−− R2,1 −− −− R2,1U2 −−−− R2,2 −− −− R2,2V2 −−

]

If we expand this matrix, we get[V1C1R2,1 + C2R2,2 V1C1R2,1U2 + C2R2,2V2

C1R2,1 + C3R2,2 C1R2,1U2 + C3R2,2V2

]

Suppose we also assume the adversary knows V1, U2, and V2. Recall that matrices of the form[I X0 I

]and

[Y II 0

]are invertible for any ring and for any X,Y. Now let’s consider the product[

I −V1

0 I

][V1C1R2,1 + C2R2,2 V1C1R2,1U2 + C2R2,2V2

C1R2,1 + C3R2,2 C1R2,1U2 + C3R2,2V2

] [I 0−V2 I

]If we can show that certain terms in this product are random, then it immediately follows that the terms in our originalmatrix are indistinguishable from random since the operations are invertible and we are assuming that V1 and V2

are known to the adversary. Now, our goal is to show that U2 is indistinguishable from random. By working somecalculation, we get [

I −V1

0 I

][V1C1R2,1 + C2R2,2 V1C1R2,1U2 + C2R2,2V2

C1R2,1 + C3R2,2 C1R2,1U2 + C3R2,2V2

]=

[C2R2,2 −V1C3R2,2 C2R2,2V2 −V1C3R2,2V2

C1R2,1 + C3R2,2 C1R2,1U2 + C3R2,2V2

]and also that [

C2R2,2 −V1C3R2,2 C2R2,2V2 −V1C3R2,2V2

C1R2,1 + C3R2,2 C1R2,1U2 + C3R2,2V2

] [−V2 II 0

]

65

=

[0 C2R2,2 −V1C3R2,2

C1R2,1U2 + C3R2,2V2 C1R2,1 + C3R2,2

]Now we need to show that U2 is computationally hidden. Let E1 ∈ Rm×m, E2 ∈ Rm×m, and C3 ∈ Rm×m beuniformly random matrices. By Theorem 4.2, we know that the following are indistinguishable from random:(

R2,1,C1R2,1

)and

(R2,1,E1

)(R2,2,C2R2,2

)and

(R2,2,E2

)(R2,2,C3R2,2

)and

(R2,2,E3

)This allows us to reduce the previous matrix we were examining to[

0 E2 −V1E3

E1U2 + E3V2 E1 + E3

]Note that E2 −V1E3 is distributed randomly given the rest of the terms since E2 is random and is not present in anyof the other terms. In order to finish the lemma, we need to show that the following two tuples are indistinguishable,where Q ∈ Rm×m is a random matrix:

(U2,V2,E1U2 + E3V2,E1 + E3) and (U2,V2,E1Q + E3V2,E1 + E3)

Observe that even if E1 is known to the adversary, the latter tuple is random since (E1,E1Q) is indistinguishable fromrandom by Theorem 4.2. It is enough to show that the tuple

U2,V2,E1U2 + E3V2,E1 + E3

is indistinguishable from random. We can write F = E1 + E3 and then rewrite our tuple as

U2,V2,E1 (U2 −V2) + FV2,F

Since we have eliminated E3 from the above tuple, we may assume that F is uniformly random and hidden froman adversary. Let G ∈ Rm×m be a uniformly random matrix. By Theorem 4.2, we know that the following areindistinguishable from random:

(V2,FV2) and (V2,G)

Then our tuple is indistinguishable from

U2,V2,E1 (U2 −V2) + G,F

which is indistinguishable from random, completing the proof.

11 Slotted RKHwPRFsIn this section, we define a weaker flavor of RKHwPRF called a “slotted” RKHwPRF. We begin by defining a plainslotted weak PRF with no algebraic structure.

Definition 11.1. (Slotted weak PRF.) An N -slotted weak PRF family is a set of weak PRF families {Fi,j : K ×X →Yi,j}i,j∈[N ],i≤j that share the same key space and input space, but may have different output spaces.

Each unit interval [i, i] for i ∈ [N ] is referred to as a “slot”. Note that for a unit interval [i, i], we simply use thenotations Fi and Yi instead of Fi,i and Yi,i.

We now define variants of these primitive with algebraic structure.

66

Definition 11.2. (Slotted RKHwPRF.) An N -slotted weak PRF family of the form {Fi,j : K ×X → Yi,j}i,j∈[N ],i≤jis an N -slotted RKHwPRF family if it satisfies the following properties:

• (K,⊕,⊗) is an efficiently samplable (finite) ring with efficiently computable ring operations.

• For each i, j ∈ [N ] such that i ≤ j, we have the following:

– (Yi,j ,�) is an efficiently samplable (finite) group with efficiently computable group operations.

– For any x ∈ X the function Fi,j(·, x) : K → Yi,j is a group homomorphism, i.e., for any x ∈ X andk, k′ ∈ K we have

F (k ⊕ k′, x) = F (k, x)� F (k′, x).

• For each i, j, ` ∈ [N ] such that i ≤ j < `, there exists an efficiently computable function φi,j,` : Yi,j ×Yj+1,` →Yi,` such that for any x ∈ X and k, k′ ∈ K, we have

Fi,`(k ⊗ k′, x) = φi,j,`(Fi,j(k, x), Fj+1,`(k′, x)).

11.1 Two-slotted-RKHwPRFs from Bilinear SXDHLet e : G1 ×G2 → GT be an asymmetric efficiently computable non-degenerate bilinear map with “source groups” G1

and G2 , and “target group” GT with generator gT , where each group has order q (assumed prime). Also, let X be a setof size q such that there exist efficiently computable “encoding functions”:

H1 : X → G1, H2 : X → G2, HT : X → GT ,

such that for any x ∈ X , we haveHT (x) = e(H1(x), H2(x)).

Now, define the functions F1 : Zq ×X → G1 and F2 : Zq ×X → G2 as:

F1(k, x) = H1(x)k

, F2(k, x) = H2(x)k.

Similarly, define the function F1,2 : Zq ×X → GT as:

F1,2(k, x) = HT (x)k.

Assuming that bilinear SXDH holds (i.e., that the DDH assumption holds over each individual source group G1 andG2, and hence, over the target group GT ), and assuming that the “encoding functions” H1 and H2 are permutations,we can state the following:

• F1, F2 and F1,2 are weak PRFs.

• F1 and F2 are homomorphic with respect to addition. More concretely, for any k1, k2 ∈ Zq and for any x ∈ X ,we have:

F1(k1 + k2, x) = F1(k1, x) · F1(k2, x) , F2(k1 + k2, x) = F2(k1, x) · F2(k2, x).

Similarly, F1,2 is also homomorphic with respect to addition. More concretely, for any k1, k2 ∈ Zq and for anyx ∈ X , we have:

F1,2(k1 + k2, x) = F1,2(k1, x) · F1,2(k2, x).

To see this observe that:

F1(k1 + k2, x) = H1(x)k1+k2

= H1(x)k1 ·H1(x)

k2

= F1(k1, x) · F1(k2, x).

The addtitive homomorphisms of F2 and F1,2 follow similarly.

67

This gives us group key-homomorphic weak PRFs. However, defining ring-homomorphism is tricky, since none ofG1, G2 and GT are necessarily equipped with efficiently computable multiplication operations (in fact, for some ofthese groups, such an operation may not even be properly defined).

However, note that we can use the bilinear map e to “simulate” a single multiplication operation as follows: for anyk1, k2 ∈ Zq and for any x ∈ X , define the following operation:

φ(F1(k1, x), F2(k2, x)) := e(F1(k1, x), F2(k2, x)).

It is easy to see the following:

φ(F1(k1, x), F2(k2, x)) = e(F1(k1, x), F2(k2, x))

= e(H1(x)k1 , H2(x)k2

)= e (H1(x), H2(x))

k1·k2

= HT (x)k1·k2

= F1,2(k1 · k2, x).

It is now easy to see that the ensemble {F1, F2, FT } is a two-slotted RKHwPRF family by construction.

11.2 Multi-slotted-RKHwPRFs from SXDHWe now generalize the aforementioned framework to generic asymmetric multilinear map of arbitrary degree n equippedwith the SXDH assumption. We adopt the same definition of asymmetric multilinear maps presented in [GGH13a].According to this definition, in asymmetric multilinear maps, the groups are indexed by integer vectors. Formally, astandard asymmetric multilinear map consists of the following .

• Setup(1λ, 1N ,n): Takes as input a vector n ∈ ZN . Sets up an N -linear map by outputting a succinct descriptionof groups (G1,G2, · · · ,Gn) of prime order q (where q is a λ bit prime), along with the respective generatorsgv ∈ Gv for 1 ≤ v ≤ n (comparison of vectors is defined component-wise). Further, let ei be the i-th standardbasis vector (with 1 at position i and 0 at each other position). In standard notation, Gei is the ith source group,Gn is the target group, and the rest are the intermediate groups.

• ev1,v2(h1, h2): Takes as input h1 ∈ Gv1 and h2 ∈ Gv2 subject to the restriction that v1 + v2 <= n, andoutputs h3 ∈ Gv1+v2 such that

(h1 = gav1, h2 = gbv2

)⇒ h3 = gabv1+v2

For simplicity, we omit the subscripts and simply refer to this multilinear map as e, which may be generalized tomultiple inputs as:

e(h1, . . . , h`) = e(h1, e(h2, . . . , h`)).

Now, analogous to the bilinear setting, let X be a set of size q and assume that there exists a family of encodingfunctions {Hvi : X → Gvi}vi<=n such that for any vi,vj such that vi + vj <= n, the following relation holds:

Hvi+vj (x) = e(Hvi(x), Hvj (x)).

Note that this can be achieved via the following steps:

• For the i-th standard basis vector ei, choose a basis encoding function:

Hei : X → Gei .

68

• For any vector v <= n such that v =∑Ni=1 αi · ei, define

Hv := e(gα1e1, . . . , gαNeN ).

Next, for any any vector v <= n, define the function Fv : Zq ×X → Gv as:

Fv(k, x) = Hv(x)k.

Assuming that SXDH holds (i.e., that the DDH assumption holds over each group Gv) and assuming that each basisencoding function Hei is a permutation, we can state the following:

• Each function Fv is a weak PRF.

• Each function Fv is homomorphic with respect to addition. More concretely, for any k1, k2 ∈ Zq and for anyx ∈ X , we have:

Fv(k1 + k2, x) = Fv(k1, x) · Fv(k2, x).

This gives us group key-homomorphic weak PRFs. Again, defining ring-homomorphism is tricky, since none of thegroups output by the setup algorithm are necessarily equipped with efficiently computable multiplication operations.However, yet again, we can use the multilinear map e to “simulate” multiplication operations as follows: for anyk1, k2 ∈ Zq , for any x ∈ X , and for any any vi,vj such that vi + vj <= n, define the following operation:

φ(Fvi(k1, x), Fvj (k2, x)) := e(Fvi(k1, x), Fvj (k2, x)).

It is easy to see the following:

φ(Fvi(k1, x), Fvj (k2, x)) = e(Fvi(k1, x), Fvj (k2, x))

= e(Hvi(x)k1 , Hvj (x)k2

)= e

(Hvi(x), Hvj (x)

)k1·k2= Hvi+vj (x)k1·k2

= Fvi+vj (k1 · k2, x).

Finally, we show how to concretely construct an N -slotted RKHwPRF family based on the aforementioneddiscussion:

• For each i ∈ [N ], define Fi (equivalently, Fi,i) as Fi := Fei.

• For each i, j ∈ [N ] such that i < j, define Fi,j := Fvi,j where vi,j =∑j`=i e`.

It is easy to see that the ensemble {Fi,j}i,j∈[N ],i≤j is an N -slotted RKHwPRF family by construction.

11.3 Constructions from Slotted RKHwPRFsWe note that the key difference between classic and slotted RKHwPRFs is that the latter primitive is restricted in termsof “multiplication.” Namely the multiplication operation is only defined between wPRF evaluations from “adjacent”slots, and the maximum multiplicative depth is bounded by the number of slots, which is a parameter of the slottedRKHwPRF family. However, these restrictions do not hinder our constructions from classic RKHwPRFs from afunctional point of view. We elaborate more on this below.

69

Multiplying in Order. Our NIKE and iO constructions only require elements from the output ring of a classicRKHwPRF (or more generally, an RHS) to be multiplied in a pre-determined order. For example, in our NIKEconstruction, evaluating the final secret key requires the public/secret matrices of ring elements from various parties tobe multiplied in a specific pre-determined order (informally, in the order in which the parties are indexed).

The restriced order of multiplications is even more natural in the case of our iO construction. From a functionalpoint of view, evaluating a branching program using our iO construction requires the evaluator to multiply matrices ofring elements in the order of the level/variable index that they correspond to (depending on whether the matrix is a“program-carrying” matrix or an “enforcer” matrix). In addition, from a security point of view, we actually want torestrict an adversary from being able to multiply these matrices out of order, in order to prevent mix-and-match/inputinconsistency attacks. This is the key rationale behind our design of “guard matrices” which, at a high level, enforcethe restriction that only matrices (or in some cases submatrices) corresponding to adjacent levels/consecutive inputvariables can be meaningfully multiplied.

So, the lack of ability to multiply elements “out of order” certainly does not hurt us and may even help us in termsof practical security.

Pre-Determined Multiplicative Depth. Both our NIKE and iO constructions have a pre-fixed multiplicative depth.In the case of the NIKE construction, the multiplicative depth of the key derivation circuit is (N − 1), where N isthe number of parties participating in the protocol. In the case of the iO construction, the multiplicative depth of thecircuit evaluating an obfuscated program is bounded by c(L+N), where L is the depth of the permutation branchingprogram corresponding to the circuit to be obfuscated, N is the number of input variables and c is a fixed parameter ofthe construction. In particular, for our iO construction, the multiplicative depth of the evaluation circuit is independentof the actual circuit being obfuscated.

Sampling from Special Distributions. Our iO construction from classic RKHwPRF requires the ability to efficientlysample matrices of ring elements from certain special distributions. For example, the obfuscation algorithm samplesguard matrices that are uniform subject to specific constraints; in particular, the products of certain guard submatricesare required to be zero. In the slotted RKHwPRF setting, the output spaces of weak PRFs are not rings and hence do notnecessarily support efficient multiplication. This means we cannot sample such specially distributed matrices directlyfrom the output spaces.

However, we can easily get around this issue by sampling from the key space instead. Recall that the key space fora slotted RKHwPRF is a ring, supports efficient multiplications, and is shared across all unit interval-levels. Hence,we can sample from the key space of the slotted RKHwPRF in exactly the same way as from the output space of aclassic RKHwPRF. Next, we translate these sampled keys to the respective output spaces by evaluating the weak PRF ateach interval-level on the same uniform input x. By the ring-homomorphic properties of the slotted RKHwPRF, thecorresponding weak PRF outputs satisfy the desired distributions.

Overview of Construction Strategies. Based on the aforementioned observations, our constructions work fromslotted RKHwPRFs in the same way as they work from classic RKHwPRFs. For example, intuitively, the NIKEconstruction for N parties can be instantiated from a (2N − 1)-slotted RKHwPRF, where the N “odd-indexed” slots areused by each party to encode their secrets, and the “odd-indexed” are used for the public parameter matrices. In somemore detail, the secret Si for each party Pi would be a matrix of elements that belong to the unit interval [2i− 1, 2i− 1],and each public parameter matrix Ri would be a matrix of elements that belong to the unit interval [2i, 2i]. The finalsecret key would be a matrix of elements at the top-level interval [1, 2N − 1].

Similarly, the iO construction for permutation branching programs with depth L and N variables can be instantiatedfrom a (c(L+N))-slotted RKHwPRF, where c is a fixed parameter of the construction. Separate unit interval-slotswould be designated for each program-carrying and enforcing matrix, as well as for the guard matrices, such thatmatrices in these slots can be sampled from appropriate distributions and multiplied in order by the obfuscation andevaluation algorithms.

Finally, observe that just like a classic RKHwPRF, a slotted RKHwPRF is inherently equipped with a zero test;evaluating a PRF at any interval-level [i, j] with the zero key is guaranteed to produce the zero lement corresponding

70

to the interval-level [i, j]. Hence, the zero test for our iO construction from a slotted RKHwPRF would also work inexactly the same way as the zero test for our iO construction from a classic RKHwPRF.

Arguing Security. Finally, the security arguments for our constructions from classic RKHwPRFs can be naturallyadopted to work for their counteparts built from slotted RKHwPRFs. We note that the key space for a slotted RKHwPRFfamily is a ring (same as in a classic RKHwPRF), so the same (leftover hash lemma+weak pseudorandmoness) basedarguments for “repeated” subset sums and general linear sums also apply to the slotted RKHwPRF setting. At a highlevel, an adversary against a slotted RKHwPRF has strictly lesser computational capabilities than an adversary against aclassic RKHwPRF (due to the restrictions on the multiplication operations), and hence all relevant hardness assumptionsnaturally translate from the classic to the slotted setting.

12 Slotted Partial RKHwPRFsIn this section, we define another flavor of slotted RKHwPRF called a slotted partial RKHwPRF.

Definition 12.1. (Slotted Partial RKHwPRF.) An N -slotted partial RKHwPRF family is a collection of weak PRFfamilies {Fi,j : (K ×Ri,j)×X → Yi,j}i,j∈[N ],i≤j that satisfies the following properties:

• (K,⊕,⊗) is an efficiently samplable (finite) ring with efficiently computable ring operations.

• For each i, j ∈ [N ] such that i ≤ j, we have the following:

– (Yi,j ,�) is an efficiently samplable (finite) group with efficiently computable group operations.

– There exists an efficiently computable function ψi,j : Ri,j ×Ri,j → Ri,j such that for any x ∈ X , anyk, k′ ∈ K and any r, r′ ∈ Ri,j , we have

F ((k ⊕ k′, r′′), x) = F ((k, r), x)� F ((k′, r′), x),

where r′′ = ψi,j(r, r′).

• For each i, j, ` ∈ [N ] such that i ≤ j < `, there exists:

1. an efficiently computable function φi,j,` : Yi,j × Yj+1,` → Yi,`, and

2. an efficiently computable function ψi,j,` : Ri,j ×Rj+1,` → Ri,`,

such that for any x ∈ X , any k, k′ ∈ K, any r ∈ Ri,j and any r′ ∈ Rj+1,` we have

Fi,`((k ⊗ k′, r′′), x) = φi,j,`(Fi,j((k, r), x), Fj+1,`((k′, r′), x)),

where r′′ = ψi,j,`(r, r′).

• There exists an efficiently computable function ZeroTest such that for x ∈ X and any r ∈ Ri,j , the followingholds with overwhelmingly large probability:

ZeroTest(F1,N ((k, r), x)) = 1 if and only if k = 0K,

where F1,N is referred to as the top-level PRF.

Remark 12.2. Note that the zero test does not appear as an explicit requirement in the definitions of classical/slottedRKHwPRF presented earlier. This is because these primitives are inherently equipped with a zero test by virtue of theirexact ring-homomorphism properties. More concretely, evaluating a classical/slotted RKHwPRF on any input using thekey k = 0K trivially results in a zero output, which simply serves as the zero test. However, this is not guaranteed whenthe homomorphism is only partial, in which case the zero test needs to be listed as an explicit requirement.

71

12.1 Partial Slotted RKHwPRF from the MZ18 MMapMa and Zhandry [MZ18] proposed a candidate polynomial-degree multilinear map scheme (referred to as the MZ18MMap henceforth), that builds on top of the candidate polynomial-degree multilinear map scheme of Coron etal. [CLT13] (referred to as the CLT13 MMap henceforth). The MZ18 MMap construction is provably secure in theweak multilinear map model under the branching program unannihilatability assumption of Garg et al. [GMM+16]. Inparticular, it provably subverts many of the zeroizing attacks [CLLT17] proposed against the original CLT13 MMapscheme.

In this section, we show that the MZ18 MMap implies a slotted partial RKHwPRF family. We begin witha description of the MZ18 MMap construction. We subsequently show an explicit construction of slotted partialRKHwPRF from the MZ18 MMap.

Overview of the MZ18 MMap. We provide an overview of the MZ18 MMap construction. The plaintext spacefor the construction is a ring R = ZM (where M is not made public) with well-defined and efficiently computableaddition and multiplication operations. The construction maps plaintext elements onto encodings, where each encodingis associated with a particular level. An MZ18 MMap of degree N = poly(λ) (where λ is the security parameter)supports a total of N2 interval-levels of the form [i, j] such that i, j ∈ [N ] and i ≤ j. Each interval of the form [i, i] fori ∈ [n] is referred to as a singleton/unit interval-level.

At a high level, two kinds of operations are defined over the MZ18 MMap encodings - addition and multiplication.The addition operation is only defined between encodings that belong to the same interval-level [i, j], while themultiplication operation is only defined over encodings at adjacent interval-levels, i.e., it is only possible to multiplyencodings at levels [i, j] and [j+ 1, k] such that i, j, k ∈ [N ] and i ≤ j < k. The addition and multiplication operationsdefine a partial ring homomorphism between the space of encodings and the ring of plaintext elements. Addingencodings of plaintext elements a and b produces an encoding of (a+ b). Similarly, multiplication encodings of a and bproduces an encoding of (a · b).

Format of Encodings. Each encoding in the MZ18 MMap is a matrix, organized logically into NL columns. Thecolumns are further partitioned into N groups (numbered 1 through N ) consisting of L columns each. The columns ineach group are interleaved; for each i ∈ N , the ith group consists of the columns i, (i+N), (i+2N), . . . , (i+(L−1)N).The unit interval-level [i, i] is essentially made up of the columns in the ith group. Each MZ18 encoding at the unitinterval-level [i, i] consists of L matrices of CLT13 encodings, one in each of the columns corresponding to the columngroup i. More concretely, given a plaintext element a ∈ Zm, its overall meta-encoding at interval-level [i, i] is givenby the sequence of encodings (A

(i)` )`∈[L] corresponding to the sequence of plaintext elements (a, 0, . . . , 0), where for

each ` ∈ [L], A(i)` denotes the `th matrix in the encoding.

To construct A(i)` , MZ18 uses a core diagonal matrix A

(i)` of the form

A(i)` =

a`v`

w`ψ1I

. . .ψi−1I

E(i)`

ψi+1I. . .

ψNI

where:

• a` ∈ ZM is the plaintext element being encoded.

72

• v` and w` are freshly sampled uniformly random elements from the plaintext space ZM with the purpose ofenforcing a requirement called non-shortcutting that is essential to the security proof for the MZ18 construction.We refer the reader to [MZ18] for more details.

• Each block matrix of the form ψjI for j ∈ [N ] \ {i} is a random multiple of the identity matrix that simplyserves as a placeholder and is essentially unused.

• The block matrix E(i)` is an enforcer matrix with the purpose of preventing an adversary from arbitrarily mixing

and matching the matrices from different encodings. We again refer the reader to [MZ18] for more details onhow the enforcer matrix is constructed.

Kilian Randomization. A total of (NL+1) Kilian randomization matrices are generated, indexed as R0,R1, . . . ,RNL.s. All encodings share the same Kilian matrices. Each A

(i)` matrix at meta-level i is left- and right- multiplied by the

corresponding Kilian randomization matrices, giving the encoding

A′(i)

= RN(`−1)+(i−1)A(i)` RN(`−1)+i.

The Final Encoding. Finally, the MZ18 encoding A(i)` is generated as

A(i)` = Enc-CLT(A′

(i), N(`− 1) + i),

where the function Enc-CLT takes as input a matrix containing elements in ZN and a level z, and outputs a matrix suchthat each entry of the output matrix is a CLT13 encoding of the corresponding entry in the input matrix at the singletonlevel-set {z}.

We avoid presenting the details of the CLT13 encoding algorithm; the reader may refer [CLT13, MZ18]. Instead, wehighlight certain properties of the CLT13 encoding that are essential to the construction of slotted partial RKHwPRFsfrom the MZ18 MMap:

• There exists an efficiently computable addition operation over CLT13 encodings that belong to the same level-set.The addition operation between encodings defines a group that is homomorphic to the additive group over theplaintext space.

• There exists an efficiently computable multiplication operation over CLT13 encodings that belong to disjointlevel-sets. The resulting product is an encoding of the product of the underlying plaintext elements, albeit at thelevel-set which is the union of the input level-sets.

We will subsequently see how these partial ring-homomorphic properties in the original CLT13 encoding are inheritedby the MZ18 MMap encoding. We also note that the interval-levels supported by the MZ18 encoding are essentially arestriction of the level-sets supported by the CLT13 encoding, and this restriction plays a key role in preventing thezeroizing attacks plaguing the original CLT13 MMap construction.

Operations over Encodings. We now describe the addition and multiplication operations over the MZ18 encodings.Recall that given a plaintext element a ∈ Zm, its encoding is given by the sequence of encodings (A

(i)` )`∈[L]

corresponding to the sequence of plaintext elements (a, 0, . . . , 0). Before describing the operations, we assume that thefollowing encodings are published at setup:

• Encodings of {1, 2, 4, . . . , 2ρ−1} at every interval-level [i, j] such that i, j ∈ [N ] and i ≤ j, where τ ′ is aparameter that also depends on the plaintext ring ZM .

• τ ′-many uniformly random encodings of 0 at every interval-level [i, j] such that i, j ∈ [N ] and i ≤ j, where τ ′ isa parameter that also depends on the plaintext ring ZM .

73

Addition. To add two encodings at the same unit interval-level [i, i], which are essentially two sequences of matriceswith entries in ZM , one lines up the sequences of matrices and adds the corresponding matrices component-wise. Theresulting sequence of matrices is taken as the encoding of the sum. Intuitively, this works because:

1. All encodings at the same level use the same pair of Kilian randomizers; hence adding these matrices also addsthe sequence of underlying plaintexts.

2. The enforcing matrices corresponding to the same level are generated in a manner that preserves their structureacross addition over ZM .

More concretely, if the input encodings have plaintext sequences (a1, 0, . . . , 0) and (a2, 0, . . . , 0), the result of additionhas plaintext sequence (a1 + a2, 0, . . . , 0).

Multiplication. To multiply two encodings at interval-levels [i, j] and [j+1, j′] for i, j, j′ ∈ [N ] such that i ≤ j < j′,one proceeds as follows: for each ` ∈ [L], it multiplies the `th matrix from the first encoding with the `th matrix of thesecond encoding, re-randomizes it by adding the resulting matrix to a random encoding of 0 at the level [i, j′], and setsthe resulting matrix to be the `th matrix of the output encoding. Again, intuitively, this works because:

1. For each ` ∈ [L], the `th matrices in the meta-encodings at the interval-levels [i, j] and [j + 1, j′] use the Kilianrandomizer pairs (RN(`−1)+(i−1),RN(`−1)+j) and (RN(`−1)+j ,RN(`−1)+(j′−1)), and hence multiplying theseresults in a matrix with the the Kilian randomizer pair (RN(`−1)+(i−1),RN(`−1)+j′), as desired for the interval-level [i, j′].

2. Multiplying the matrices also multiplies (component-wise) the sequence of underlying plaintexts. This followsfrom the structure of the meta-encoding matrices.

3. For each ` ∈ [L], the pair of enforcing matrices (E(i,j)` ,E

(j+1,j′)` ) corresponding to the interval-levels [i, j] and

[j + 1, j′] is structured in a manner such that their product matrix E(i,j′) = E(i,j)` E

(j+1,j′)` is structured as an

enforcing matrix corresponding to the interval-level [i, j′] should be structured.

More concretely, if the input encodings have plaintext sequences (a1, 0, . . . , 0) and (a2, 0, . . . , 0), the result of multipli-cation has plaintext sequence (a1 · a2, 0, . . . , 0).

Generating Encodings of Arbitrary Plaintexts. We now describe how to efficiently generate MZ18 encodingscorresponding to arbitrary plaintexts. Observe that we published at setup encodings of {1, 2, 4, . . . , 2ρ−1} at each unitinterval-level [i, i] for i ∈ [n], where ρ is a parameter that depends on the plaintext ring ZM . To encode a plaintexta ∈ Z2ρ at a unit interval-level [i, i], one can then write the plaintext in base 2, and then sum the appropriate publicencodings of powers of 2. In [MZ18], the authors propose setting ρ = M × 2λ for a security parameter λ so that arandom a ∈ Z2ρ yields a plaintext element a′ = a mod M that is statistically close to random over the plaintext ringZM .

Re-randomizing Encodings. The MZ18 MMap construction also supports re-randomization. Recall that we pub-lished (at setup) τ ′-many uniformly random encodings of 0 at every interval-level [i, j] such that i, j ∈ [N ] and i ≤ j.In order to re-randomize any encoding at level [i, j], add to the encoding a subset-sum of the public encodings of 0available at this level.

Top-Level Zero Test. For the topmost interval-level [1, N ], the MZ18 construction publishes (at setup) a specialpre-zero-test encoding that will have most of the structure of a valid top level encoding, except that it will not correctlyencode an actual plaintext element. Instead, it encodes the plaintext-sequence will be (0, 1, 1, . . . , 1), which differsfrom a normal encoding where the plaintext-squences contain 0 at all but the first slot. The purpose of this encoding isto be added to any top level encoding we seek to zero test. In other words, suppose that we have a top-level encoding ofzero, i.e., a top-level encoding of the plaintext-sequence (0, 0, . . . , 0). Then adding the pre-zero-test encoding converts

74

it into a top-level encoding for the plaintext-sequence (0, 1, 1, . . . , 1). On the other hand, adding the pre-zero-testencoding to a non-zero encoding, i.e., a top-level encoding of the plaintext-sequence (a, 0, . . . , 0) for a 6= 0, converts itinto a top-level encoding for the plaintext-sequence (a, 1, 1, . . . , 1).

The next step is to design a test that checks for the plaintext sequence (0, 1, 1, . . . , 1). To achieve this, the MZ18construction also publishes (at setup) a pair of bookend encodings, which are CLT13 encodings of specially structuredvectors s and t such that

s =[1 1 0 F1 . . . FN

]R0 , t = R−1NL

101G1

...GN

,

where the F andG vectors are structured to interact with the enforcing matrices in a manner that ensures that multiplyinga top-level encoding for the plaintext-sequence (a, 1, 1, . . . , 1) with the bookend encodings results in a CLT13 encodingof the plaintext a. At this point, one can directly invoke the zero test procedure for the CLT13 MMap.

Formal Definition. Based on the description of the MZ18 MMap above, we formally represent the MZ18 MMapconstruction as an ensemble of the following poly-time algorithms:

• Setup-MZ(1λ, N): Takes as input a security parameter λ and the number of levels L and outputs a publicparameter pp, which contains the following:

1. Sufficiently many encodings of powers of 2 at all interval levels.

2. Sufficiently many encodings of 0 and sufficiently many encodings of 1 at all interval-levels.

3. The pre-zero test encoding and the bookend encodings for the zero test.

• Enc-MZ(pp, a, (i, j); r): Takes as input the public parameter pp, a plaintext element a ∈ ZM , indices i, j ∈[N ] such that i ≤ j and random coins r, and generates a sequence of randomized encodings (A

(i,j)` )`∈[L]

corresponding to the interval-level [i, j].

• ReRand-MZ(pp, (A(i,j)` )`∈[L], (i, j); r): Takes as input pp, a sequence of encodings (A

(i,j)` )`∈[L] correspond-

ing to the interval-level [i, j] and random coins r, and generates (A(i,j)` )`∈[L], which is a re-randomization of the

input encoding sequence at the same level [i, j].

• Add-MZ(pp, (A(i,j)` )`∈[L], (B

(i,j)` )`∈[L], (i, j); r): Takes as input pp, two sequences of encodings (A

(i,j)` )`∈[L]

and (B(i,j)` )`∈[L] at the interval-level [i, j], and random coins r, and outputs (C

(i,j)` )`∈[L], which represents the

sum of the input encodings at the same level [i, j].

• Mult-MZ(pp, (A(i,j)` )`∈[L], (B

(j+1,j′)` )`∈[L], (i, j, j

′); r): Takes as input pp, two sequences of encodings (A(i,j)` )`∈[L]

and (B(j+1,j′)` )`∈[L] at the interval-levels [i, j] and [j + 1, j′] respectively, and random coins r, and outputs

(C(i,j′)` )`∈[L] which represents the multiplication of the input encodings, albeit at the interval-level [i, j′].

• ZeroTest-MZ(pp, (A(1,N)` )`∈[L]): Takes as input pp, a top-level encoding-sequence (A

(1,N)` )`∈[L] and outputs

either 0 or 1.

We avoid formal descriptions of these functions, which essentially follow from the informal description presentedearlier. The readers may refer [MZ18] for the formal descriptions.

75

Choosing the Computational Assumption. We now focus on choosing the appropriate computational assumptionover the MX18 MMap to build slotted partial RKHwPRFs. Note that the standard SXDH assumption in the contextof the MZ18 MMap construction implies that the following assumption is true: letting pp = Setup-MZ(1λ, N), thefollowing ensembles are computationally indistinguishable for any i, j ∈ [N ] auch that i ≤ j and any T = poly(λ):

(pp, {Enc-MZ(pp, at, (i, j); rt),Enc-MZ(pp, k · at, (i, j); rt)}t∈[T ])

≈c (pp, {Enc-MZ(pp, at, (i, j); rt),Enc-MZ(pp, bt, (i, j); rt)}t∈[T ]),

where k, a1, . . . , aT , b1, . . . , bT are uniformly sampled plaintext elements in ZM , and r1, . . . , rT are appropriatelydistributed random coins for the MZ18 encoding algorithm.

However, since the MZ18 MMap uses “noisy” encodings, it does not support scalar multiplication with encodings.In other words, there is no efficient algorithm to compute an MZ18 encoding of (k.a) at interval-level [i, j] given anMZ18 encoding of a at interval-level [i, j]. As a result, this assumption is not immediately useful to construct weakPRF families.

We overcome this difficulty by using the following alternative computational assumption called “shifted”-SXDH:letting pp = Setup-MZ(1λ, N), the following ensembles are computationally indistinguishable for any index i ∈ [N ]and any T = poly(λ):

(pp, {Enc-MZ(pp, at, (i, j); rt),Enc-MZ(pp, k · at, (i, j + 1); rt)}t∈[T ])

≈c (pp, {Enc-MZ(pp, at, (i, j); rt),Enc-MZ(pp, bt, (i, j + 1); rt)}t∈[T ]),

where k, a1, . . . , aT , b1, . . . , bT are uniformly sampled plaintext elements in ZM , and r1, . . . , rT are appropriatelydistributed random coins for the MZ18 encoding algorithm.

Now observe the following: given an MZ18 encoding of a at interval-level [i, j], we can construct an MZ18encoding of (k.a) at level [i, j + 1] via the following steps:

1. Step-1: Create an encoding of k at interval-level [j + 1, j + 1].

2. Step-2: Invoke the MZ18 multiplication algorithm on the encoding of a at interval-level [i, j] and the encodingof k at interval-level [j + 1, j + 1].

In other words, by resorting to the “shifted”-SXDH assumption, we can construct a weak PRF family where eachfunction is efficiently computable, and the function output is “shifted” from the function input by a level. This allows usto overcome the limitations arising out of using the original SXDH assumption. However, the following question arises:

Is the “shifted”-SXDH assumption stronger than the original SXDH assumption?

The answer is no: the “shifted”-SXDH assumption is, in fact, implied by the SXDH assumption. To see this, observethat given an instance of the SXDH assumption, a PPT algorithm can easily simulate an instance of the “shifted”-SXDHassumption using the multiplication algorithm over the MZ18 encodings, such that the latter is a valid “shifted”-SXDHinstance if and only if the former is a valid SXDH instance. In other words, we can still base the security of ourRKHwPRF family on the SXDH assumption.

Constructing Slotted Weak PRFs. Equipped with the aforementioned computational assumption, we now showhow to concretely construct a slotted weak PRF family from the MZ18 MMap. Let pp = Setup-MZ(1λ, 2N + 1). LetX be a set of size M and assume that there exists a family of (randomized) hash functions {Hi,j}i,j∈[N ],i≤j such thatfor any x ∈ X , for any i, j, j′ ∈ [N ] satisfying i ≤ j < j′, there exists appropriately distributed random coins r suchthat the following relation holds:

Hi,j′(x) = Mult-MZ(pp, Hi,j(x), Hj+1,j′(x), r).

Note that this can be achieved via the following steps:

76

• For each unit interval-level [i, i] such that i ∈ [N ], choose a (randomized) hash function Hi,i that maps auniformly random element x ∈ X to a level-[i, i] encoding for a uniformly random plaintext element a ∈ Zm.

• For any i, j, j′ ∈ [N ] satisfying i ≤ j < j′, define the (randomized) hash function:

Hi,j′(x) = Mult-MZ(Hi,j(x), Hj+1,j′(x), r),

where r represents appropriately distributed random coins.

We now show how to construct the slotted partial RKHwPRF family. For any i, j ∈ [N ] satisfying i ≤ j, define thefunction Fi,j : (ZM ×Ri,j)×X → Yi,j as:

Fi,j((k, (r0, r1, r2)), x) = Mult-MZ(pp, H2i,2j(x; r0),Enc-MZ(pp, k, 2j + 1; r1), r2),

where r0, r1 and r2 represent appropriately distributed random coins for the hashing, MZ18 encoding and MZ18multiplication algorithms, respectively. 1 It is easy to see the following: under the assumption that the SXDH assumptionholds (and hence the “shifted”-SXDH assumption holds), the function Fi,j corresponding to each valid interval-level[i, j] is a weak PRF.

Partial Ring Homomorphism. We now demonstrate that the aforementioned slotted weak PRF family is in fact aslotted weak RKHwPRF family. More concretely, we show this slotted weak PRF family is equipped with the followingproperties: (a) additive homomorphism within interval-levels (b) partial multiplicative homomorphism across “adjacent”interval levels, and (c) an efficient top-level zero test.

Additive Homomorphism. We define the following (randomized) addition operation:

Fi,j((k, r), x)� Fi,j((k′, r′), x) := Add-MZ(pp, Fi,j((k, r), x), Fi,j((k

′, r′), x), r′′),

where r′′ represents appropriately distributed random coins for the MZ18 addition operation.Observe that the output of Fi,j is always an MZ18 encoding sequence at the interval-level [2i, 2j + 1]. Hence, the

aforementioned multiplication operation is well-defined. Finally, additive homomorphism follows from the additivehomomorphism of the MZ18 encodings.

Partial Multiplicative Homomorphism. Next, we define the following (randomized) multiplication operation:

Fi,j((k, r), x)� Fj+1,j′((k′, r′), x) := Mult-MZ(pp, Fi,j((k, r), x), Fj+1,j′((k

′, r′), x), r′′),

where r′′ represents appropriately distributed random coins for the MZ18 multiplication operation.Again, observe that the output of Fi,j and Fj+1,j′ are MZ18 encoding sequences at the interval-levels [2i, 2j + 1]

and [2j + 2, 2j′ + 1], respectively. Hence, the aforementioned multiplication operation is well-defined, and results inan encoding at the level [2i, 2j′ + 1], as desired. Additionally, partial multiplicative homomorphism follows from thepartial multiplicative homomorphism of the MZ18 encodings.

Top Level Zero-Test. We now describe the ZeroTest algorithm for the top-level PRF. Note that the output of ourtop-level PRF F1,n is an MZ18 encoding sequence at the interval-levels [2, 2N + 1]. Hence, to zero-test, we use thefollowing steps:

1. Step-1: Multiply the output of the PRF F1,n with a publicly available encoding of 1 at the interval-level[1, 1] (note that such an encoding is available as part of the public parameter pp) generated by the Setup-MZalgorithm.

2. Step-2: Invoke the MZ18 zero test algorithm ZeroTest-MZ on the resulting encoding.

Correctness of the aforementioned zero test procedure follows from the partial multiplicative homomorphism of theMZ18 encodings and the correcness of the MZ18 zero test algorithm.

1We implicitly assume that the MZ18 public parameter pp is part of the PRF family description.

77

Is Level-Doubling Necessary? Our construction of slotted partial RKHwPRFs requires an MZ18 MMap instantiationwith approximately twice the number of levels. This arises from the need to prove weak pseudorandomness. Recall thatin the weak pseudorandomness security game, the adversary is allowed to see uniformly randomly sampled input-outputpairs. In case of the MZ18 MMap which has noisy encodings, it seems hard to construct a weak PRF family basedon the SXDH assumption, where each function satisfies inputs and outputs are encodings at the same level, whilealso preserving partial ring homomorphism. Hence, we resorted to constructing a weak PRF family where the outputencodings are “shifted” from the input encodings by a single level. This doubles the overall number of levels requiredfor the construction.

However, it is possible to avoid this doubling requirement on the MZ18 MMap instantiation if we constructed aslightly weaker primitive, namely a slotted partial ring-homomorphic synthesizer (RHS), which is in fact sufficient forour target applications, namely NIKE and iO. In the synthesizer security game, the adversary is only allowed to see theoutputs of the synthesizer on uniformly random input pairs. Since the inputs are not made public, they need not beencoded into separate levels; hence, an MZ18 MMap with the same number of levels as the slotted RHS family suffices.This gives better concrete efficiency from the point of view of applications. In other words, level-doubling is notnecessary when using our techniques to build NIKE/iO from the MZ18 MMap; it more of a definitional requirement.

Nonetheless, we chose to present the slotted partial RKHwPRF construction since it is a natural weakening ofthe classical RKHwPRF primitive defined in the main body of the paper, as well as the slotted RKHwPRF primitivepresented in the previous section. In particular, it serves as a natural adaptation of the slotted RKHwPRF primitive (whichcan be built from classical graded encodings) in the context of noisy candidate MMaps, such as the MZ18 MMap. Weleave it as an interesting open question to build slotted partial RKHwPRFs from well-studied computational assumptionsover MZ18 MMaps (and other candidate nosiy MMaps) while avoiding the level-doubling requirements.

12.2 Partial Slotted RKHwPRF from Symmetric MMaps

In this section, we show that how to design partial slotted RKHwPRFs from symmetric multilinear maps. Notethat the SXDH assumption is trivially broken over symmetric multilinear maps; so we resort to using the more generalmatrix DDH family of assumptions. We note that multilinear maps we use here do not need to be fully symmetric forour construction to work. In fact, any multilinear map where the matrix-DDH assumption holds will work for thisconstruction, so this construction could be used for asymmetric multilinear maps. However, since SXDH clearly cannothold in asymmetric multilinear maps, we emphasize the application to symmetric multilinear maps below.

Let e : G×G× . . .×G→ GT be a symmetric efficiently computable non-degenerate N -linear map with “sourcegroup” G and “target group” GT , where each group has order q (assumed prime), and let g ← G be a publicly availableuniformly sampled generator element for G.

Matrix DDH Assumption. Suppose that n,m = poly(λ) are arbitrarily large, subject to the restriction that n > m.We recall the Un,m-matrix DDH (MDDH) Assumption assumption from [EHK+13] and present some useful associatedlemmas/corollaries.

Definition 12.3. (Un,m-MDDH Assumption.) The Un,m-MDDH assumption is said to hold over the group G of primeorder q if letting A← Zn×mq , k← Zmq and u← Znq , we have

(gA, gAk) ≈c (gA, gu),

where g ← G is a uniformly sampled generator element.

The following corollary also follows via a simple hybrid argument.

Corollary 12.4. Let L = poly(λ) and n = Lm. Assuming that the Un,m-MDDH assumption holds over the group G,we have {

(gA` , gA`K)

}`∈[L]

≈c (

{gA` , gU`)

}`∈[L]

,

where g ← G is a uniformly sampled generator element, K← Zm×mq , and for each ` ∈ [L], we have A`,U` ← Zm×mq .

78

We also state and prove the following statistical indistinguishability lemma.

Lemma 12.5. For any N,L = poly(λ), we havegA1K1,1A

−12 . . . gANK1,NA−1

N+1

.... . .

...gA1KL,1A

−12 . . . gANKL,NA−1

N+1

≈sgU1,1

1,1 . . . gU1,N

N,N...

. . ....

gUL,1

1,1 . . . gUL,N

N,N

where g ← G is a uniformly sampled generator element, for each n ∈ [N + 1], we have Ai ← Zm×mq and for each(`, i) ∈ [L]× [N ], we have K`,i,U`,i ← Zm×mq .

Proof. To see that this lemma is true, observe the following:gA1K1,1A

−12 . . . gAN−1K1,N−1A

−1N gANK1,NA−1

N+1

.... . .

......

gA1KL,1A−12 . . . gAN−1KL,N−1A

−1N gANKL,NA−1

N+1

≈s

gA1K1,1A

−12 . . . gAN−1K1,N−1A

−1N gANU′1,N

.... . .

...gA1KL,1A

−12 . . . gAN−1KL,N−1A

−1N gANU′L,N

≈s

gA1K1,1A

−12 . . . gAN−1K1,N−1A

−1N gU1,N

.... . .

......

gA1KL,1A−12 . . . gAN−1KL,N−1A

−1N gUL,N

where for each ` ∈ [L], we have U`,N ,U

′`,N ← Zm×mq .

The proof of Lemma 12.5 now follows from a simple hybrid argument, where in hybrid-i we apply the same set ofindistinguishable transformations as illustrated above to column (N − i+ 1) of the original matrix.

We now describe how to build a slotted partial RKHwPRF family from a symmetric multilinear map such that theaforementioned MDDH assumption and the associated lemmas hold over it.

Notation. We first set up some notation. For each i ∈ [N ], we define a unit interval group: Gi,i := G and a unitinterval generator gi,i := g. For each i, j, ` ∈ [N ] such that i ≤ j < `, we define the map

ei,j,` : Gi,j ×Gj+1,` → Gi,`,

and the group elementgi,` := ei,j,`(gi,j , gj+1,`).

We also overload the notation e and use it instead of ei,j,` whenever the source and target groups are clear from thecontext. It is easy to see that the “top-level” group G1,N is essentially the final group GT and the group element g1,N isessentially a generator for GT .

The Slotted Function Family. Let m = poly(λ) be a parameter such that m > N , and let X be a set such that thereexists a weak PRF family

{Hi : Ki ×X → Zm×mq }i∈[N+1].

Note that we do not require these weak PRFs to be endowed with any algebraic structure. Finally, we define a family offunctions

{Fi,j : (Zm×mq ×Ki ×Kj+1)×X → Gi,j}i,j∈[N ],i≤j ,

where for any i, j ∈ [N ] satisfying i ≤ j, we have

Fi,j((K, (ki, kj+1)), x) = gHi(ki,x)·Ki,j ·(Hj+1(kj+1,x))

−1

i,j .

79

Homomorphic Properties. It is easy to see the following:

1. For any i, j ∈ [N ] such that i ≤ j, for any x ∈ X , for a fixed (secret) choice of ki, kj+1 ∈ K and for anyK1,K2 ∈ Zm×mq , we have

Fi,j((K1 + K2, ki, kj+1), x) = Fi,j((K1, ki, kj+1), x) · Fi,j((K2, ki, kj+1), x).

To see this, observe the following:

Fi,j((K1, ki, kj+1), x) · Fi,j((K2, ki, kj+1), x)

= gH(ki,x)·K1·(H(kj+1,x))

−1

i,j · gH(ki,x)·K2·(H(kj+1,x))−1

i,j

= gH(ki,x)·(K1+K2)·(H(kj+1,x))

−1

i,j

= Fi,j((K1 + K2, ki, kj+1), x).

2. For any i, j, ` ∈ [N ] such that i ≤ j < `, for any x ∈ X , for a fixed (secret) choice of ki, kj+1, k`+1 ∈ K and forany K1,K2 ∈ Zm×mq , we have

Fi,`((K1 ·K2, ki, k`+1), x) = e(Fi,j((K1, ki, kj+1), x), Fj+1,`((K2, kj+1, k`+1), x)).

To see this, observe the following:

e(Fi,j((K1, ki, kj+1), x), Fj+1,`((K2, kj+1, k`+1), x))

= e

(gH(ki,x)·K1·(H(kj+1,x))

−1

i,j , gH(kj+1,x)·K2(H(k`+1,x))

−1

j+1,`

)= e(gi,j , gj+1,`)

H(ki,x)K1(H(kj+1,x))−1·H(kj+1,x)·K2·(H(k`+1,x))

−1

= gH(ki,x)·K1·K2·(H(k`+1,x))

−1

i,`

= Fi,`((K1 ·K2, ki, k`+1), x).

Top-Level Zero Test. It is easy to see that the aforementioned weak PRF family is inherently equipped with a toplevel zero-test. More specifically, for any x ∈ X and any k1 ∈ K1 and any kN+1 ∈ KN+1, we have

F1,N ((0, (k1, kN+1)), x) = g01,N+1,

where 0 is the all-zero matrx in Zm×mq . Thus the weak PRF output on an all-zero subkey is nothing but a matrix whoseevery entry is the identity element in G1,N , i.e., the target group GT . This immediately gives an efficiently computabletop-level zero test.

Weak PRF Security. We now prove that for any i, j ∈ [N ] such that i ≤ j, the function Fi,j is a weak PRF, underthe assumption that the Un,m-matrix DDH (MDDH) assumption holds over the source group G for sufficiently largen,m = poly(λ), subject to the restriction that n > m > N . More formally, we state and prove the following lemma.

Lemma 12.6. For any i, j ∈ [N ] such that i ≤ j and any arbitrarily large L = poly(λ), assuming that:

• Un,m-matrix DDH (MDDH) assumption holds over the source group G for n = Lm, and

• Hi : Ki ×X → Zm×mq and Hj+1 : Kj+1 ×X → Zm×mq are weak PRFs,

and letting

{x` ← X}`∈[L] , (ki, kj+1)← (Ki ×Kj+1) , {K← Zm×mq }`∈[L] , {U`,`′ ← Zm×mq }`,`′∈[L],

80

we haveFi,j((K1, (ki, kj+1)), x1) . . . Fi,j((KL, (ki, kj+1)), x1)...

. . ....

Fi,j((K1, (ki, kj+1)), xL) . . . Fi,j((KL, (kN , kN+1)), xL)

≈cgU1,1

i,j . . . gU1,L

i,j...

. . ....

gUL,1

i,j . . . gUL,L

i,j

Proof. To begin with, we exploit the weak pseudorandomness of the functions Hi amd Hj+1 to argue that the followingholds: {

Hi(ki, x`), Hj+1(kj+1, x`)

}`∈[L]

≈c{A`,0,A`,1

}`∈[L]

,

where for ` ∈ [L], A`,0,A`,1 ← Zm×mq . This in turn gives us the following:

Fi,j((K1, (ki, kj+1)), x1) . . . Fi,j((KL, (ki, kj+1)), x1)...

. . ....

Fi,j((K1, (ki, kj+1)), xL) . . . Fi,j((KL, (kN , kN+1)), xL)

≈cgA1,0K1A

−11,1

i,j . . . gA1,0KLA

−11,1

i,j...

. . ....

gAL,0K1A

−1L,1

i,j . . . gAL,0KLA

−1L,1

i,j

where for ` ∈ [L], A`,0,A`,1 ← Zm×mq . Next, we invoke Corollary 12.4 to argue the following:gA1,0K1A

−11,1

i,j gA1,0K2A

−11,1

i,j . . . gA1,0KLA

−11,1

i,j...

.... . .

...

gAL,0K1A

−1L,1

i,j gAL,0K2A

−1L,1

i,j . . . gAL,0KLA

−1L,1

i,j

≈cgU

(1)1,0A

−11,1

i,j gA1,0K2A

−11,1

i,j . . . gA1,0KLA

−11,1

i,j...

.... . .

...

gU

(L)1,0 A

−1L,1

i,j gAL,0K2A

−1L,1

i,j . . . gAL,0KLA

−1L,1

i,j

,where for each ` ∈ [L], we have U

(`)1,0 ← Zm×mq . Next, we have

gU

(1)1,0A

−11,1

i,j gA1,0K2A

−11,1

i,j . . . gA1,0KLA

−11,1

i,j...

.... . .

...

gU

(L)1,0 A−1

L,1

i,j gAL,0K2A

−1L,1

i,j . . . gAL,0KLA

−1L,1

i,j

≈sgU1,1

i,j gA1,0K2A

−11,1

i,j . . . gA1,0KLA

−11,1

i,j...

.... . .

...

gUL,1

i,j gAL,0K2A

−1L,1

i,j . . . gAL,0KLA

−1L,1

i,j

,

where for each ` ∈ [L], we have U`,1 ← Zm×mq .

The proof of pseudorandomness now follows from a simple hybrid argument, where in hybrid-i we apply the sameset of indistinguishable transformations as illustrated above to column i of the original matrix.

Parallel Input Security. Note that unlike all our previous instantiations of slotted weak PRF families where the weakPRF output at each unit interval level [i, i] is completely independent of the weak PRF output at any other interval level[i′, i′], in this instantiation, the weak PRF output at each unit interval level [i, i] is is related to the weak PRF output atthe interval level [i+ 1, i+ 1] by the shared Hi+1 term in the exponent of the generator.

Hence, we prove an additional security property called parallel input security, which states that an ensemble of weakPRF evaluations at each unit interval level on the same input x and using the same inter-level correlated randomness iscomputationally indistinguishable from uniform. More formally, we state and prove the following lemma.

Lemma 12.7. For any N,L = poly(λ), assuming that {Hi : Ki × X → Zm×mq }i∈[N+1] is a weak PRF family andletting

x← X , {ki ← Ki}i∈[N+1] , {K`,i,U`,i ← Zm×mq }`∈[L],i∈[N ],

81

we haveF1,1((K1,1, (k1, k2)), x) . . . FN,N ((K1,N , (kN , kN+1)), x)...

. . ....

F1,1((KL,1, (k1, k2)), x) . . . FN,N ((KL,N , (kN , kN+1)), x)

≈cgU1,1

1,1 . . . gU1,N

N,N...

. . ....

gUL,1

1,1 . . . gUL,N

N,N

where for each i ∈ [N ], gi,i = g such that g ← G is a uniformly sampled generator element.

Proof. First of all, we exploit the weak pseudorandomness of the function family {Hi : Ki ×X → Zm×mq }i∈[N+1] toargue that the following holds: {

Hi(ki, x)

}i∈[N+1]

≈c{Ai

}i∈[N+1]

,

where for each i ∈ [N + 1], Ai ← Zm×mq . This in turn gives us the following:

F1,1((K1,1, (k1, k2)), x) . . . FN,N ((K1,N , (kN , kN+1)), x)...

. . ....

F1,1((KL,1, (k1, k2)), x) . . . FN,N ((KL,N , (kN , kN+1)), x)

≈cgA1K1,1A

−12

1,1 . . . gANK1,NA−1

N+1

N,N...

. . ....

gA1KL,1A

−12

1,1 . . . gANKL,NA−1

N+1

N,N

,where for each i ∈ [N + 1], Ai ← Zm×mq . Next, we invoke Lemma 12.5 to argue

gA1K1,1A−12 . . . gANK1,NA−1

N+1

.... . .

...gA1KL,1A

−12 . . . gANKL,NA−1

N+1

≈sgU1,1

1,1 . . . gU1,N

N,N...

. . ....

gUL,1

1,1 . . . gUL,N

N,N

.This completes the proof of parallel input security.

12.3 Constructions from Slotted Partial RKHwPRFsNote that our constructions from classic RKHwPRFs also work from slotted partial RKHwPRFs. This follows fromarguments very similar to those presented in the context of slotted RKHwPRFs. The reader may refer Section 11.3for a detailed discussion on why the imposition of slots and the corresponding restrictions on the multiplicationoperations do not hinder our constructions from functioning correctly and securely. In this section, we focus on two keydifference between slotted RKHwPRFs and slotted RKHwPRFs, both of which are related to the partial nature of thehomomorphism in the latter primitive.

Zero Test. First, unlike slotted RKHwPRFs, a slotted partial RKHwPRF is not inherently equipped with a zero test.The use of additional secret randomness during weak PRF evaluation, and the fact that this randomness does not respectany form of group/ring-homomorphism, implies that evaluating the weak PRF using a zero key is not guaranteed toproduce the zero element in the corresponding output interval-level. We take this into account by listing a top-level zerotest as an explicit requirement in our definitions of slotted partial RKHwPRF (Definition 12.1). As far as instantiationsare concerned, the construction of slotted partial RKHwPRF from matrix-DDH over multilinear maps is naturallyequipped with a zero test due to the specific structure of the randomness used during weak PRF evaluation, while theMZ18 MMap is equipped with its own zero test, which can be easily translated into an appropriate zero test for theslotted partial RKHwPRF built from it.

Bounded Hommorphic Operations. Unlike a slotted RKHwPRF where the only restrictions are on the multiplicativedepth, a slotted partial RKHwPRF could also be bounded with respect to the number of homomorphic addition operationsit supports at any given interval-slot. This is especially relevant with respect to the MZ18 MMap, which builds on topof “noisy” CLT13 encodings, and the noise grows with every additive operation between encodings.

82

We note however that both our NIKE and iO constructions also have a pre-fixed additive depth. In the case ofthe NIKE construction, the additive depth of the key derivation circuit is O(Nm), where N is the number of partiesparticipating in the protocol and m = poly(λ) is a fixed matrix-dimension parameter. In the case of the iO construction,the multiplicative depth of the circuit evaluating an obfuscated program is O((L+N)m), where L is the depth of thepermutation branching program corresponding to the circuit to be obfuscated, N is the number of input variables andm = poly(λ) is a fixed matrix-dimension parameter of the construction. In particular, for our iO construction, theadditive depth of the evaluation circuit is independent of the actual circuit being obfuscated. Hence, as long as theslotted partial RKHwPRF family is securely instantiated with appropriate parameters that supports the requisite numberof additively homomorphic operations for our constructions, both correctness and security of our constructions can beensured.

Rerandomization. Note that in our security proofs for the iO construction from classic RKHwPRFs, we requirethe ability to create RKHwPRF outputs under fresh keys from a publicly available set of RKHwPRF outputs underrandom keys. We do this by “subset-summing” over the publicly available RKHwPRF outputs, and then use the leftoverhash lemma to argue that the resulting RKHwPRF output is appropriately distributed under a key that is statisticallyindistinguishable from random.

In the partial RKHwPRF setting, only “subset-summing” over the publicly available RKHwPRF outputs doesnot necessarily suffice. This is because we need to make sure that the new weak PRF output is not only distributedappropriately with respect to the underlying key, but also the additional underlying randomness. In other words, we needan additional rerandomization algorithm that takes the output of “subset-summing” and re-randomizes it in a mannerthat preserves both the distribution of the key and the additional randomness (at least in a manner that is computationallyindistinguishable from a “freshly created” weak PRF output). This is especially relevant with respect to the MZ18MMap, which builds on top of “noisy” CLT13 encodings. In particular, “subset-summing” over MZ18 encodings doesnot necessarily preserve the appropriate noise distribution in the resulting encoding.

However, we note that MZ18 MMap comes equipped with such a rerandomization algorithm. In our security proofsfor the MZ18 MMap-based constructions, we thus require only additional step: after “subset-summing” over the publiclyavailable encodings, we use the leftover hash lemma (as in the classic RKHwPRF setting) in conjunction with theMZ18 rerandomization algorithm to make sure that the distribution of the freshly created encoding is computationallyindistinguishable from that of a “freshly created” encoding.

The issue of rerandomization does not arise in the slotted partial RKHwPRF construction from multilinear mapswhere the matrix-DDH assumption holds, due to the special structure of its underlying randomness terms. Here, we cansimply “subset-sum” over existing weak PRF outputs and argue that the resulting RKHwPRF output is appropriatelydistributed under a key that is statistically indistinguishable from random. The argument uses the leftover hash lemmaand follows exactly as in the classic RKHwPRF case.

13 Impossibility of Field(-embedded) Homomorphic SynthesizersIn this section, we show that there is no (secure) Field-embedded Homomorphic Synthesizer (FHS). Since a field-embedded homomorphic synthesizer is trivially implied by a Field KHwPRF (or a Field-homomorphic Synthesizer), itfollows that there is no (secure) Field KHwPRF (or a Field-homomorphic Synthesizer) as well. First, we define thenotion of a field-embedded homomorphic synthesizer:

Definition 13.1. (Field-embedded Homomorphic Synthesizer.) A Field-embedded Homomorphic Synthesizer (FHS)S : X ×G→ F is a synthesizer that satisfies the following properties:

• (G,⊕) is an efficiently samplable (finite) group with efficiently computable group operation.

• (F,�,�) is an efficiently samplable (finite) field with efficiently computable field operations.

• For any x ∈ X the function S(x, ·) : G→ F is a group homomorphism, i.e., for any x ∈ X and f1, f2 ∈ F wehave

S(x, g1 ⊕ g2) = S(x, f1)� S(x, f2)

83

It is easy to see that a ring-embedded homomorphic synthesizer is implied by an RKHwPRF or an RIHwPRF (forwhich the input space does not depend on the choice of the key).

Informally, a field-embedded homomorphic synthesizer is a stronger version of ring-embedded homomorphicsynthesizer which enables to efficiently compute the inverse in the output field. We now show that there is a (generic)attack against any field-embedded homomorphic synthesizer.

Let S : X × F → F be a field-embedded homomorphic synthesizer, and fix an integer m > 3 log |F |. IfF← Fm×m and s← {0F , 1F }m, by Theorem 4.1 it follows that

(F,Fs)c≈ (F,u),

where u← Fm is a uniformly chosen vector of field elements. We define the set S as

S = {Fs : s ∈ {0F , 1F }}

Since |F | is superpolynomially large in λ (otherwise the attack is straightforward), it follows that

• F is a full-rank matrix with high probability.

• Pr[u ∈ S] ≤ negl(λ) where the probability is taken over the randomness of F and u.

Given a pair of the form (F, c) where either c = Fs or c is a uniform vector over Fm, the attacker solves the (linear)equation Fx = c and checks whether the solution is binary. Notice that Gaussian elimination is possible since the fieldoperations (including inverse) can be efficiently done in F . If there exists a binary solution, the attacker outputs 1.Otherwise, it outputs 0. It is easy to see that the advantage of the attacker in distinguishing (F,Fs) and (F,u) is closeto 1. Therefore, there is no (secure) field-embedded homomorphic synthesizer.

14 Conclusion and Future WorkIn this paper, we showed how to build iO and multiparty NIKE from a ring-embedded homomorphic synthesizer. Inparticular, our iO construction is secure in the standard model and from a program independent assumption. We thinkthat RHS (or RKHwPRF) is one of the simplest and most understandable primitives that is currently known to directlyimply iO. We also showed that asymmetric multilinear maps that satisfy certain properties imply RKHwPRF, which inturn imply RHS.

Public Key Cryptography and Mathematical Structure. This work also mostly completes the line of work startedin [AMPR19] that suggests that public-key cryptographic primitives inherently follow from structured Minicryptprimitives. With this work, we can show that all of the most common cryptosystems can, in fact, be built using astructured Minicrypt primitive. The structure over a Minicrypt primitive also happens to be easy to state: either a groupor ring homomorphism over the input space or key space.

This bolsters the argument that it makes sense to base theoretical constructions of cryptosystems (i.e., constructionsthat are focused on showing the existence of something rather than a practical implementation) on generic primitivesrather than concrete assumptions, since the generic primitives protect against specific assumptions being broken. Wedefer to the work of [AMPR19] for a more eloquent argument of this point.

The intuition about structure and public-key cryptography in this work can also be applied to some primitivesthat have not been studied before. For instance, threshold signatures using bilinear maps (e.g. as in [BLS01]-basedsignatures) exploit the full structure of a field in order to use Shamir secret sharing [Sha79]. Lattice-based assumptionstypically are only (bounded) ring homomorphic (and not field homomorphic). This is perhaps a natural reason whylattice-based threshold signature constructions [BGG+18] are seemingly harder to construct than those from bilinearmaps, and finding a way to build a field homomorphic primitive using lattices might be a plausible way to try buildefficient threshold signatures from lattices.

84

Constructing an RKHwPRF. Currently, we know of no existing, provably secure constructions of an RKHwPRFfrom standard assumptions. However, it is certainly worth it to briefly discuss some strategies for constructing anRKHwPRF and why known techniques do not work. A very natural starting question that an ambitious researcher mightask is the following: is it possible to use the highly structured primitives from [AMPR19] to build iO? This question isparticularly interesting because RIHwPRFs with certain properties are known to be implied by FHE, which is in turnimplied by standard LWE.

From [GMM17], we know that building iO from FHE is impossible in a certain black-box sense. This means that itis unlikely that we can take a generic IHwPRF and use it to construct a KHwPRF. Concretely, [AMPR19] showed thatequipping weak PRFs with a ring homomorphism over the input space (RIHwPRF) with certain other requirementsyields a fully homomorphic encryption scheme. In addition, FHE also implies an RIHwPRF with certain properties. Onthe other hand, our results here show that RKHwPRFs imply the powerful notion of indistinguishability obfuscation. Sowe might ask, what are the qualitative differences between these two constructions? And what is the intuitive reasonwhy we cannot construct RKHwPRFs from RIHwPRFs? If we closely examine the construction of RIHwPRF fromFHE in [AMPR19], we see that the resulting RIHwPRFs have a substantial drawback that prevents us from building anRKHwPRF: the output space of the RIHwPRF is dependent on the choice of the key.

References[AB15] B. Applebaum and Z. Brakerski. Obfuscating circuits via composite-order graded encoding. In Y. Dodis

and J. B. Nielsen, editors, TCC 2015, Part II, volume 9015 of LNCS, pages 528–556. Springer, Heidelberg,March 2015.

[ADM06] V. Arvind, B. Das, and P. Mukhopadhyay. The complexity of black-box ring problems. In Proceedingsof the 12th Annual International Conference on Computing and Combinatorics, COCOON’06, pages126–135. Springer-Verlag, Berlin, Heidelberg, 2006. ISBN 3-540-36925-2, 978-3-540-36925-7.

[AFH+16] M. R. Albrecht, P. Farshim, D. Hofheinz, E. Larraia, and K. G. Paterson. Multilinear maps fromobfuscation. In E. Kushilevitz and T. Malkin, editors, TCC 2016-A, Part I, volume 9562 of LNCS, pages446–473. Springer, Heidelberg, January 2016.

[Agr19] S. Agrawal. Indistinguishability obfuscation without multilinear maps: New methods for bootstrappingand instantiation. In Y. Ishai and V. Rijmen, editors, EUROCRYPT 2019, Part I, volume 11476 of LNCS,pages 191–225. Springer, Heidelberg, May 2019.

[AJ15] P. Ananth and A. Jain. Indistinguishability obfuscation from compact functional encryption. In R. Gennaroand M. J. B. Robshaw, editors, CRYPTO 2015, Part I, volume 9215 of LNCS, pages 308–326. Springer,Heidelberg, August 2015.

[AJL+19] P. Ananth, A. Jain, H. Lin, C. Matt, and A. Sahai. Indistinguishability obfuscation without multilinearmaps: New paradigms via low degree weak pseudorandomness and security amplification. In A. Boldyrevaand D. Micciancio, editors, CRYPTO 2019, Part III, volume 11694 of LNCS, pages 284–332. Springer,Heidelberg, August 2019.

[Alb19] M. Albrecht. Are graded encoding schemes broken yet?, 2019.

[AM18] S. Agrawal and M. Maitra. FE and iO for turing machines from minimal assumptions. In A. Beimeland S. Dziembowski, editors, TCC 2018, Part II, volume 11240 of LNCS, pages 473–512. Springer,Heidelberg, November 2018.

[AMP19] N. Alamati, H. Montgomery, and S. Patranabis. Symmetric primitives with structured secrets. InA. Boldyreva and D. Micciancio, editors, CRYPTO 2019, Part I, volume 11692 of LNCS, pages 650–679.Springer, Heidelberg, August 2019.

[AMP20] N. Alamati, H. Montgomery, and S. Patranabis. Stronger multilinear maps from indistinguishabilityobfuscation. Cryptology ePrint Archive, Report 2020/610, 2020.

85

[AMPR19] N. Alamati, H. Montgomery, S. Patranabis, and A. Roy. Minicrypt primitives with algebraic structure andapplications. In Y. Ishai and V. Rijmen, editors, EUROCRYPT 2019, Part II, volume 11477 of LNCS,pages 55–82. Springer, Heidelberg, May 2019.

[AS17] P. Ananth and A. Sahai. Projective arithmetic functional encryption and indistinguishability obfuscationfrom degree-5 multilinear maps. In J. Coron and J. B. Nielsen, editors, EUROCRYPT 2017, Part I, volume10210 of LNCS, pages 152–181. Springer, Heidelberg, April / May 2017.

[Bar17] B. Barak. The complexity of public-key cryptography. In Tutorials on the Foundations of Cryptography,pages 45–77. 2017.

[BBKK18] B. Barak, Z. Brakerski, I. Komargodski, and P. K. Kothari. Limits on low-degree pseudorandomgenerators (or: Sum-of-squares meets program obfuscation). In J. B. Nielsen and V. Rijmen, editors,EUROCRYPT 2018, Part II, volume 10821 of LNCS, pages 649–679. Springer, Heidelberg, April / May2018.

[BDGM20] Z. Brakerski, N. Dottling, S. Garg, and G. Malavolta. Candidate iO from homomorphic encryptionschemes. In V. Rijmen and Y. Ishai, editors, EUROCRYPT 2020, Part I, LNCS, pages 79–109. Springer,Heidelberg, May 2020.

[BF01] D. Boneh and M. K. Franklin. Identity-based encryption from the Weil pairing. In J. Kilian, editor,CRYPTO 2001, volume 2139 of LNCS, pages 213–229. Springer, Heidelberg, August 2001.

[BGG+18] D. Boneh, R. Gennaro, S. Goldfeder, A. Jain, S. Kim, P. M. R. Rasmussen, and A. Sahai. Thresholdcryptosystems from threshold fully homomorphic encryption. In H. Shacham and A. Boldyreva, editors,CRYPTO 2018, Part I, volume 10991 of LNCS, pages 565–596. Springer, Heidelberg, August 2018.

[BGI+01] B. Barak, O. Goldreich, R. Impagliazzo, S. Rudich, A. Sahai, S. P. Vadhan, and K. Yang. On the(im)possibility of obfuscating programs. In J. Kilian, editor, CRYPTO 2001, volume 2139 of LNCS, pages1–18. Springer, Heidelberg, August 2001.

[BGK+14] B. Barak, S. Garg, Y. T. Kalai, O. Paneth, and A. Sahai. Protecting obfuscation against algebraic attacks.In P. Q. Nguyen and E. Oswald, editors, EUROCRYPT 2014, volume 8441 of LNCS, pages 221–238.Springer, Heidelberg, May 2014.

[BGMZ18] J. Bartusek, J. Guan, F. Ma, and M. Zhandry. Return of GGH15: Provable security against zeroizingattacks. In A. Beimel and S. Dziembowski, editors, TCC 2018, Part II, volume 11240 of LNCS, pages544–574. Springer, Heidelberg, November 2018.

[BKM17] D. Boneh, S. Kim, and H. W. Montgomery. Private puncturable PRFs from standard lattice assumptions.In J. Coron and J. B. Nielsen, editors, EUROCRYPT 2017, Part I, volume 10210 of LNCS, pages 415–445.Springer, Heidelberg, April / May 2017.

[BKM+19] A. Bishop, L. Kowalczyk, T. Malkin, V. Pastro, M. Raykova, and K. Shi. In pursuit of clarity in obfuscation.Cryptology ePrint Archive, Report 2019/463, 2019. https://eprint.iacr.org/2019/463.

[BLMR13] D. Boneh, K. Lewi, H. W. Montgomery, and A. Raghunathan. Key homomorphic PRFs and theirapplications. In R. Canetti and J. A. Garay, editors, CRYPTO 2013, Part I, volume 8042 of LNCS, pages410–428. Springer, Heidelberg, August 2013.

[BLS01] D. Boneh, B. Lynn, and H. Shacham. Short signatures from the Weil pairing. In C. Boyd, editor,ASIACRYPT 2001, volume 2248 of LNCS, pages 514–532. Springer, Heidelberg, December 2001.

[BMSZ15] S. Badrinarayanan, E. Miles, A. Sahai, and M. Zhandry. Post-zeroizing obfuscation: The case of evasivecircuits. Cryptology ePrint Archive, Report 2015/167, 2015. http://eprint.iacr.org/2015/167.

86

https://eprint.iacr.org/2019/463

http://eprint.iacr.org/2015/167

http://eprint.iacr.org/2015/167

[BP15] N. Bitansky and O. Paneth. ZAPs and non-interactive witness indistinguishability from indistinguishabilityobfuscation. In Y. Dodis and J. B. Nielsen, editors, TCC 2015, Part II, volume 9015 of LNCS, pages401–427. Springer, Heidelberg, March 2015.

[BR14a] Z. Brakerski and G. N. Rothblum. Black-box obfuscation for d-CNFs. In M. Naor, editor, ITCS 2014,pages 235–250. ACM, January 2014.

[BR14b] Z. Brakerski and G. N. Rothblum. Virtual black-box obfuscation for all circuits via generic gradedencoding. In Y. Lindell, editor, TCC 2014, volume 8349 of LNCS, pages 1–25. Springer, Heidelberg,February 2014.

[Bra12] Z. Brakerski. Fully homomorphic encryption without modulus switching from classical GapSVP. InR. Safavi-Naini and R. Canetti, editors, CRYPTO 2012, volume 7417 of LNCS, pages 868–886. Springer,Heidelberg, August 2012.

[BV11] Z. Brakerski and V. Vaikuntanathan. Fully homomorphic encryption from ring-LWE and security forkey dependent messages. In P. Rogaway, editor, CRYPTO 2011, volume 6841 of LNCS, pages 505–524.Springer, Heidelberg, August 2011.

[BV15] N. Bitansky and V. Vaikuntanathan. Indistinguishability obfuscation from functional encryption. InV. Guruswami, editor, 56th FOCS, pages 171–190. IEEE Computer Society Press, October 2015.

[BZ14] D. Boneh and M. Zhandry. Multiparty key exchange, efficient traitor tracing, and more from indistin-guishability obfuscation. In J. A. Garay and R. Gennaro, editors, CRYPTO 2014, Part I, volume 8616 ofLNCS, pages 480–499. Springer, Heidelberg, August 2014.

[CC17] R. Canetti and Y. Chen. Constraint-hiding constrained PRFs for NC1 from LWE. In J. Coron andJ. B. Nielsen, editors, EUROCRYPT 2017, Part I, volume 10210 of LNCS, pages 446–476. Springer,Heidelberg, April / May 2017.

[CCH+19] J. H. Cheon, W. Cho, M. Hhan, J. Kim, and C. Lee. Statistical zeroizing attack: Cryptanalysis ofcandidates of BP obfuscation over GGH15 multilinear map. In A. Boldyreva and D. Micciancio, editors,CRYPTO 2019, Part III, volume 11694 of LNCS, pages 253–283. Springer, Heidelberg, August 2019.

[CGH17] Y. Chen, C. Gentry, and S. Halevi. Cryptanalyses of candidate branching program obfuscators. In J. Coronand J. B. Nielsen, editors, EUROCRYPT 2017, Part III, volume 10212 of LNCS, pages 278–307. Springer,Heidelberg, April / May 2017.

[CHL+15] J. H. Cheon, K. Han, C. Lee, H. Ryu, and D. Stehle. Cryptanalysis of the multilinear map over theintegers. In E. Oswald and M. Fischlin, editors, EUROCRYPT 2015, Part I, volume 9056 of LNCS, pages3–12. Springer, Heidelberg, April 2015.

[CLLT16] J.-S. Coron, M. S. Lee, T. Lepoint, and M. Tibouchi. Cryptanalysis of GGH15 multilinear maps. InM. Robshaw and J. Katz, editors, CRYPTO 2016, Part II, volume 9815 of LNCS, pages 607–628. Springer,Heidelberg, August 2016.

[CLLT17] J.-S. Coron, M. S. Lee, T. Lepoint, and M. Tibouchi. Zeroizing attacks on indistinguishability obfuscationover CLT13. In S. Fehr, editor, PKC 2017, Part I, volume 10174 of LNCS, pages 41–58. Springer,Heidelberg, March 2017.

[CLT13] J.-S. Coron, T. Lepoint, and M. Tibouchi. Practical multilinear maps over the integers. In R. Canetti andJ. A. Garay, editors, CRYPTO 2013, Part I, volume 8042 of LNCS, pages 476–493. Springer, Heidelberg,August 2013.

[CLT15] J.-S. Coron, T. Lepoint, and M. Tibouchi. New multilinear maps over the integers. In R. Gennaro andM. J. B. Robshaw, editors, CRYPTO 2015, Part I, volume 9215 of LNCS, pages 267–286. Springer,Heidelberg, August 2015.

87

[DH76] W. Diffie and M. E. Hellman. New directions in cryptography. IEEE Transactions on Information Theory,IT-22(6):644–654, 1976.

[EHK+13] A. Escala, G. Herold, E. Kiltz, C. Rafols, and J. Villar. An algebraic framework for Diffie-Hellmanassumptions. In R. Canetti and J. A. Garay, editors, CRYPTO 2013, Part II, volume 8043 of LNCS, pages129–147. Springer, Heidelberg, August 2013.

[FHHL18] P. Farshim, J. Hesse, D. Hofheinz, and E. Larraia. Graded encoding schemes from obfuscation. InM. Abdalla and R. Dahab, editors, PKC 2018, Part II, volume 10770 of LNCS, pages 371–400. Springer,Heidelberg, March 2018.

[Gen09] C. Gentry. Fully homomorphic encryption using ideal lattices. In M. Mitzenmacher, editor, 41st ACMSTOC, pages 169–178. ACM Press, May / June 2009.

[GGH13a] S. Garg, C. Gentry, and S. Halevi. Candidate multilinear maps from ideal lattices. In T. Johansson andP. Q. Nguyen, editors, EUROCRYPT 2013, volume 7881 of LNCS, pages 1–17. Springer, Heidelberg,May 2013.

[GGH+13b] S. Garg, C. Gentry, S. Halevi, M. Raykova, A. Sahai, and B. Waters. Candidate indistinguishabilityobfuscation and functional encryption for all circuits. In 54th FOCS, pages 40–49. IEEE ComputerSociety Press, October 2013.

[GGH15] C. Gentry, S. Gorbunov, and S. Halevi. Graph-induced multilinear maps from lattices. In Y. Dodis andJ. B. Nielsen, editors, TCC 2015, Part II, volume 9015 of LNCS, pages 498–527. Springer, Heidelberg,March 2015.

[GGHR14] S. Garg, C. Gentry, S. Halevi, and M. Raykova. Two-round secure MPC from indistinguishabilityobfuscation. In Y. Lindell, editor, TCC 2014, volume 8349 of LNCS, pages 74–94. Springer, Heidelberg,February 2014.

[GLSW15] C. Gentry, A. B. Lewko, A. Sahai, and B. Waters. Indistinguishability obfuscation from the multilinearsubgroup elimination assumption. In V. Guruswami, editor, 56th FOCS, pages 151–170. IEEE ComputerSociety Press, October 2015.

[GMM+16] S. Garg, E. Miles, P. Mukherjee, A. Sahai, A. Srinivasan, and M. Zhandry. Secure obfuscation in a weakmultilinear map model. In M. Hirt and A. D. Smith, editors, TCC 2016-B, Part II, volume 9986 of LNCS,pages 241–268. Springer, Heidelberg, October / November 2016.

[GMM17] S. Garg, M. Mahmoody, and A. Mohammed. Lower bounds on obfuscation from all-or-nothing encryptionprimitives. In J. Katz and H. Shacham, editors, CRYPTO 2017, Part I, volume 10401 of LNCS, pages661–695. Springer, Heidelberg, August 2017.

[GSW13] C. Gentry, A. Sahai, and B. Waters. Homomorphic encryption from learning with errors: Conceptually-simpler, asymptotically-faster, attribute-based. In R. Canetti and J. A. Garay, editors, CRYPTO 2013,Part I, volume 8042 of LNCS, pages 75–92. Springer, Heidelberg, August 2013.

[HB15] M. Horvath and L. Buttyan. The birth of cryptographic obfuscation-a survey. Technical report, CryptologyePrint Archive, Report 2015/412, 2015.

[HJ16] Y. Hu and H. Jia. Cryptanalysis of GGH map. In M. Fischlin and J.-S. Coron, editors, EUROCRYPT 2016,Part I, volume 9665 of LNCS, pages 537–565. Springer, Heidelberg, May 2016.

[HSW14] S. Hohenberger, A. Sahai, and B. Waters. Replacing a random oracle: Full domain hash from indistin-guishability obfuscation. In P. Q. Nguyen and E. Oswald, editors, EUROCRYPT 2014, volume 8441 ofLNCS, pages 201–220. Springer, Heidelberg, May 2014.

88

[IZ89] R. Impagliazzo and D. Zuckerman. How to recycle random bits. In 30th FOCS, pages 248–253. IEEEComputer Society Press, October / November 1989.

[Jag12] T. Jager. On black-box models of computation in cryptology. Ph.D. thesis, Ruhr University Bochum,2012.

[JLMS19] A. Jain, H. Lin, C. Matt, and A. Sahai. How to leverage hardness of constant-degree expanding polynomi-als overa R to build iO. In Y. Ishai and V. Rijmen, editors, EUROCRYPT 2019, Part I, volume 11476 ofLNCS, pages 251–281. Springer, Heidelberg, May 2019.

[Jou00] A. Joux. A one round protocol for tripartite diffie–hellman. In International algorithmic number theorysymposium, pages 385–393. Springer, 2000.

[Kil88] J. Kilian. Founding cryptography on oblivious transfer. In 20th ACM STOC, pages 20–31. ACM Press,May 1988.

[Lin16] H. Lin. Indistinguishability obfuscation from constant-degree graded encoding schemes. In M. Fischlinand J.-S. Coron, editors, EUROCRYPT 2016, Part I, volume 9665 of LNCS, pages 28–57. Springer,Heidelberg, May 2016.

[Lin17] H. Lin. Indistinguishability obfuscation from SXDH on 5-linear maps and locality-5 PRGs. In J. Katzand H. Shacham, editors, CRYPTO 2017, Part I, volume 10401 of LNCS, pages 599–629. Springer,Heidelberg, August 2017.

[LT17] H. Lin and S. Tessaro. Indistinguishability obfuscation from trilinear maps and block-wise local PRGs. InJ. Katz and H. Shacham, editors, CRYPTO 2017, Part I, volume 10401 of LNCS, pages 630–660. Springer,Heidelberg, August 2017.

[LV16] H. Lin and V. Vaikuntanathan. Indistinguishability obfuscation from DDH-like assumptions on constant-degree graded encodings. In I. Dinur, editor, 57th FOCS, pages 11–20. IEEE Computer Society Press,October 2016.

[LV17] A. Lombardi and V. Vaikuntanathan. Limits on the locality of pseudorandom generators and applicationsto indistinguishability obfuscation. In Y. Kalai and L. Reyzin, editors, TCC 2017, Part I, volume 10677of LNCS, pages 119–137. Springer, Heidelberg, November 2017.

[Mic02] D. Micciancio. Generalized compact knapsacks, cyclic lattices, and efficient one-way functions fromworst-case complexity assumptions. In 43rd FOCS, pages 356–365. IEEE Computer Society Press,November 2002.

[MMN16] M. Mahmoody, A. Mohammed, and S. Nematihaji. On the impossibility of virtual black-box obfuscationin idealized models. In E. Kushilevitz and T. Malkin, editors, TCC 2016-A, Part I, volume 9562 of LNCS,pages 18–48. Springer, Heidelberg, January 2016.

[MR07] U. M. Maurer and D. Raub. Black-box extension fields and the inexistence of field-homomorphic one-waypermutations. In K. Kurosawa, editor, ASIACRYPT 2007, volume 4833 of LNCS, pages 427–443. Springer,Heidelberg, December 2007.

[MSS16] A. Menezes, P. Sarkar, and S. Singh. Challenges with assessing the impact of nfs advances on the securityof pairing-based cryptography. In International Conference on Cryptology in Malaysia, pages 83–108.Springer, 2016.

[MSZ16] E. Miles, A. Sahai, and M. Zhandry. Annihilation attacks for multilinear maps: Cryptanalysis ofindistinguishability obfuscation over GGH13. In M. Robshaw and J. Katz, editors, CRYPTO 2016, Part II,volume 9815 of LNCS, pages 629–658. Springer, Heidelberg, August 2016.

89

[MZ18] F. Ma and M. Zhandry. The MMap strikes back: Obfuscation and new multilinear maps immune toCLT13 zeroizing attacks. In A. Beimel and S. Dziembowski, editors, TCC 2018, Part II, volume 11240of LNCS, pages 513–543. Springer, Heidelberg, November 2018.

[NPR99] M. Naor, B. Pinkas, and O. Reingold. Distributed pseudo-random functions and KDCs. In J. Stern, editor,EUROCRYPT’99, volume 1592 of LNCS, pages 327–346. Springer, Heidelberg, May 1999.

[NR95] M. Naor and O. Reingold. Synthesizers and their application to the parallel construction of pseudo-randomfunctions. In 36th FOCS, pages 170–181. IEEE Computer Society Press, October 1995.

[Ps16] R. Pass and a. shelat. Impossibility of VBB obfuscation with ideal constant-degree graded encodings. InE. Kushilevitz and T. Malkin, editors, TCC 2016-A, Part I, volume 9562 of LNCS, pages 3–17. Springer,Heidelberg, January 2016.

[Reg05] O. Regev. On lattices, learning with errors, random linear codes, and cryptography. In H. N. Gabow andR. Fagin, editors, 37th ACM STOC, pages 84–93. ACM Press, May 2005.

[RSA78] R. L. Rivest, A. Shamir, and L. Adleman. A method for obtaining digital signatures and public-keycryptosystems. Communications of the ACM, 21(2):120–126, 1978.

[Sha79] A. Shamir. How to share a secret. Communications of the ACM, 22(11):612–613, 1979.

[Sho97] V. Shoup. Lower bounds for discrete logarithms and related problems. In W. Fumy, editor, EURO-CRYPT’97, volume 1233 of LNCS, pages 256–266. Springer, Heidelberg, May 1997.

[SW14] A. Sahai and B. Waters. How to use indistinguishability obfuscation: deniable encryption, and more. InD. B. Shmoys, editor, 46th ACM STOC, pages 475–484. ACM Press, May / June 2014.

[YYHK18] T. Yamakawa, S. Yamada, G. Hanaoka, and N. Kunihiro. Generic hardness of inversion on ring and itsrelation to self-bilinear map. Cryptology ePrint Archive, Report 2018/463, 2018. https://eprint.iacr.org/2018/463.

[Zim15] J. Zimmerman. How to obfuscate programs directly. In E. Oswald and M. Fischlin, editors, EURO-CRYPT 2015, Part II, volume 9057 of LNCS, pages 439–467. Springer, Heidelberg, April 2015.

90



Documents

Ring Key-Homomorphic Weak PRFs and Applications · Ring Key-Homomorphic Weak PRFs and Applications Navid Alamati Hart Montgomeryy ... This is despite the fact that, in our opinion,